The  Name  Game:  Protecting  DNS  Servers  page  38 


RED  GOLD 


>  ? 


How  crystal  meth  and 
China’s  economic  boom 
fuel  rampant  metal  theft 

■  A )  > 

BY  SCOTT  BERINATO  page  26 


I  I  A--  t 

I  l 

'  I,  .'.Vi  '  .  V\  Mfc'1 


■  \  .  )/'■'  ’  >:  /  , 

(V  ,  .  /  ■  •  ■  . 


.1*  liK 


Michael  Lynch,  CSO 
of  DTE  Energy,  says 
desperate  junkies 
steal  live  wires  to 
sell  for  cash. 


February  2007  $9.00  www.csoonline.com 


THE  RESOURCE  FOR  SECURITY  EXE 


FULL  MONTY 

Bruce  Schneier  on 
why  disclosure  works 
PAGE  20 

FENCING  LESSONS 

CSOs  face  off  with 
organized  retail  crime 

PAGE  42 


Advertisement 


Weathering  Today’s  “Perfect  Storm” 

What  you  need  to  know  to  secure  and  manage  your  enterprise 


Novell. 


By  Richard  Whitehead,  director  of 
product  marketing  for  Novell 

Businesses  are  faced  with  a  "perfect 
storm"  of  global  challenges:  security 
threats,  increasing  complexity,  regulatory 
pressures  and  stiff  competition — to 
name  just  a  few.  We  are  tasked  with 
reconciling  the  many  competing 
demands  on  our  limited  time,  staff  and 
budgets,  including: 

•  The  threat  of  hackers,  insider 
breaches,  phishing  and  identity  theft 

•  Regulations  imposed  by  the  European 
Directive  on  Data  Protection,  the 
Federal  Financial  Institutions 
Examination  Council  (FFIEC),  the 
Gramm-Leach-Bliley  Act,  the  Health 
Insurance  Portability  and  Accountability 
Act  (HIPAA)  and  the  Sarbanes-Oxley 
Act  (SOX) 

•  IT  controls  and  best  practices,  including 
COBIT,  COSO,  ISO,  ITIL  and  NIST 

•  Twenty  years  of  IT  build  out — 
mainframes,  databases,  Windows*, 
UNIX*,  Linux  and  open  source 

Most  organizations  have  developed 
unsustainable  processes,  requiring 
specialists  to  monitor,  analyze,  interpret 
and  report  on  progress.  You  have  likely 
implemented  controls,  adopted  new 
standards  and  deployed  new  technologies, 
but  have  you  also  successfully  reduced 
costs,  complexity  and  risk? 

For  most  of  us  the  answer  is  “yes  and 
no.”  You  have  a  few  wins  you  can  point 
to — a  successful  audit,  better  security 
policies  and  processes  or  perhaps, 
good  return  on  investment  from  a  new 
technology.  Unfortunately  you  are  still 
spending  a  significant  amount  of  time 
and  money  trying  to  mitigate  risk,  reduce 


complexity  and  support  compliance. 
What  can  you  do  differently? 

Simplify,  Simplify,  Simplify 

With  so  many  policies  and  procedures 
outside  of  your  control,  focus  on 
simplifying  processes  that  reduce  your 
administrative  burden  and  support 
compliance.  If  you  cannot  consistently 
enforce  access  control  policies  across 
core  systems,  consider  an  enterprise- 
class  user  provisioning  solution.  You'll 
gain  the  ability  to  automate  access  controls 
based  on  your  business  policies  as  well 
as  the  IT  controls  needed  to  support 
various  regulations  like  SOX  and  HIPAA. 
And  by  adding  a  comprehensive  Web 
access  management  solution  that  includes 
single  sign-on,  you  will  increase  security 
and  simplify  access  for  your  users. 

Gain  Control 

Most  organizations  have  security  and 
compliance  systems  that  generate  reams 
of  data,  but  do  they  truly  have  the  time 
and  personnel  to  make  sense  of  it  all? 
And  if  a  breach  is  discovered,  it's  often 
too  late  to  apply  the  fix  that  will  reduce  or 
mitigate  your  risk.  A  security  information 
and  event  management  (SIEM)  solution 
can  help  you  gain  control  of  your  IT 
environment  by  automating  security  and 
compliance  management.  A  SIEM  solution 
monitors  your  networked  environment 
for  anomalous  behavior  by  capturing 
and  correlating  event  data  from  virtually 
any  system  across  your  enterprise.  It 
automates  monitoring,  reporting  and 
remediation  to  provide  a  real-time  view 
of  your  IT  security  environment¬ 
streamlining  previously  labor-intensive 
and  error-prone  processes  so  you  can 
build  a  more  rigorous  security  and 
compliance  management  program. 


Novell  is  the  only 
company  that  delivers 
an  open  source  platform 
along  with  integrated 
systems,  security  and 
identity  management 
services.  These 
technologies  and 
solutions  can  help  you 
secure  and  manage 
your  enterprise  across 
all  the  platforms  in  your 
infrastructure.  Learn 
more  by  visiting: 


www.novell.com/security 


Advertisement 


Maximize  Your  Assets 

For  years,  we've  all  been  doing  more 
with  less,  so  realizing  the  full  potential  of 
your  IT  systems,  devices  and  resources 
is  as  critical  as  ever.  Are  you  wasting 
money  on  software  licenses  that  aren't 
being  used?  Are  those  company-issued 
PDAs  increasing  your  management 
burden  and  risk?  How  confident  are  you 
that  your  patching  program  is  sufficient 
to  safeguard  business-critical  systems? 

If  you  aren’t  using  a  centralized  systems 
and  resource  management  solution,  you 
aren’t  getting  a  full  return  on  your  investment 
in  key  resources:  desktops,  laptops, 
servers,  handheld  devices  and  more. 

With  an  enterprisewide  systems  and 
resource  management  solution,  you 
can  control  costs,  ensure  security  and 
compliance,  and  optimize  the  value  of 
your  IT  assets  across  diverse  server  and 
client  platforms. 

Simplify,  Control  and  Maximize  Your 
IT  Environment 

If  your  ultimate  goal  is  a  real-time, 
holistic  view  of  security  and  compliance 
from  desktop  to  data  center,  the 
examples  above  are  good  steps  in  the 
right  direction.  And  while  they  may  seem 
like  disparate  examples,  they  are  each 
variations  on  familiar  themes: 

Automation  based  on  policy. 

Every  asset  in  your  IT  environment — 
from  users  to  servers  to  virtual  machines — 
requires  management  throughout  its 
lifecycle.  Whenever  possible,  leverage 
your  business  policies  to  automate  that 
lifecycle  from  acquisition  to  retirement. 
This  will  help  you  enforce  consistent 
security  and  compliance  policies — 
and  ensure  you  get  maximum  value 
from  your  IT  assets. 

Centralized  management  and 
administration. 

If  you  are  integrating  a  large  number  of 
point  solutions,  you  know  how  difficult  it 
is  to  administer  and  manage  these 
systems.  Your  IT  staff  requires  constant 
training  and  highly  specialized  skill  sets 


that  aren't  necessarily  transferable  as  you 
continue  to  build  out  your  infrastructure. 
As  much  as  possible,  consolidate  your 
management  interfaces  and  simplify 
administration  to  reduce  costs  and 
improve  visibility. 

Across  systems  and  platforms. 

Your  security  and  management  solutions 
are  only  as  good  as  the  systems  they 
cover  in  your  IT  environment.  You  can’t 
get  a  complete  picture  of  your  security 
and  compliance  posture  if  you  don’t 
have  a  way  to  monitor  and  manage  all 
your  diverse,  distributed  systems.  If  you 
use  virtualization  to  maximize  your  data 
center  but  you  have  to  manage  your 
Windows  and  Linux  images  separately, 
you  could  get  better  value  from  a 
cross-platform  solution.  Likewise,  if 
you  can  automate  the  creation  and 
provisioning  of  users’  e-mail  accounts- 
but  not  accounts  your  PBX  system — 
you  should  consider  an  enterprisewide 
provisioning  solution. 

If  you  are  an  IT  leader  tasked  with 
managing  cost,  compliance  and  risk 
across  a  diverse,  heterogeneous  IT 
environment,  then  you  need  to  take 
another  look  at  Novell.  Novell  offers 
systems,  security  and  identity 
management  solutions  that  put  you 
in  control  of  your  IT  environment. 

Our  award-winning  identity  and  access 
management  technology  is  simplifying 
user  lifecycle  management  for  thousands 
of  enterprises,  just  like  yours.  Our 
market-leading  security  information  and 
event  management  solution  will  help 
you  stay  on  top  of  your  security  and 
compliance  challenges,  so  you  can 
spend  more  time  building  your  business. 
And  our  systems  management  offerings 
help  you  orchestrate  your  IT  functions 
and  manage  your  IT  resources  and 
assets.  Whether  it’s  increasing  staff 
productivity  by  45  percent,  mitigating 
security  and  compliance  risks  or 
managing  assets  from  mainframes  to 
handheld  devices — we  can  help  in 
virtually  all  operating  environments. 


Novell. 


Novell  and  the  Novell  logo  are  registered  trademarks  of  Novell,  Inc  in  the  United  States  and  other  countries.  *Linux  is  a  registered  trademark  of  Linus  Torvalds.  All  other  third-party 
trademarks  are  the  property  of  their  respective  owners. 


Learn  more  now  at  www.novell.com/security 


1  HI 


.  .  -  xu 

Theo  Lane,  a  senitffaBB 

coordinator  with  Duke 
Energy,  has  seen  cases 
where  thieves  will  sell 
their  stolen  metal  to  a 
scrap  yard,  then  steal  it 
from  that  yard  to  sell  it 
^piigain  someplace  else. 
PAGE  26 


February  2007 

Vol.  6,  No.  2 


26  cover  story  Red  Gold  Rush 

METAL  THEFT  Metal  has  never  been  more  valuable,  or  more  stolen. 
Inside  the  metal  theft  epidemic  and  CSOs’  struggle  to  contain  the 
problem.  By  Scott  Berinato 

DNS  (Definitely  Not  Safe?) 

INTERNET  SECURITY  New  attacks  on  the  Internet’s  domain 
name  system  keep  CISOs  guessing.  Here’s  what  you  can 
do  about  it.  By  Erik  Sherman 

41  Mall  Rats 

LOSS  PREVENTION  Organized  retail  crime  costs 
retailers  billions  of  dollars  each  year,  and  Limited 
Brands’  John  Talarno  is  fighting  back.  Here’s  how. 

By  Sarah  D.  Scalet 


COLUMNS 

20  All  or  Nothing 

SECURITY  COUNSEL  Why  full  disclosure— or 
the  threat  of  it— forces  vendors  to  patch 
flaws.  By  Bruce  Schneier 

22  The  Book  on  Amazon 

MACHINE  SHOP  Can  you  trust  the  giant 
retailer— or  any  Web-based  service— with 
your  information  storage  and  computing 
tasks?  By  Simson  Garfinkel 

DEPARTMENTS 

13  Briefing 

Guatemala  digs  for  the  truth;  The  Security 
Blotter;  Here  comes  image  spam;  (Not  so) 
eminent  domains;  How  to  prevent  workplace 
violence;  Data  drains 

52  Debriefing 

Quiz:  Crowd  Control 


IN  EVERY  ISSUE 

4  CSOonline.com 
6  From  the  Editor 
8  From  the  Publisher 
10  Letters 
50  Index 


2  www.csoonline.com  February  2007 


»  Branch  office  application  performance  plummeting  with  each  IT  initiative?  See  how  Juniper 
makes  any  branch  office  faster,  with  Juniper  Networks  Application  Acceleration  solutions. 

Only  Juniper  provides  acceleration  across  the  broadest  range  of  application  types  for 
branch  offices,  along  with  an  extensive  portfolio  of  complementary  security  and  transport 
solutions.  So  roll  out  new  applications  while  web-enabling  others.  Replicate  and  back  up 
data  continuously  across  the  WAN.  Save  on  hardware,  application  license  and  WAN 
service  costs  by  centralizing  servers  and  consolidating  data  centers  -  all  while  providing 
LAN-like  application  response  for  branch  office  users:  www.juniper.net/branch 


Juniper  _ 
O  Net 


1.888. JUNIPER 


President  and  CEO 
Michael  Friedenberg 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Derek  Slater 
Managing  Editor 
Michael  Goldberg 
Senior  Editors 

Scott  Berinato,  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Assistant  Managing  Editor 
Emily  S.  Henderson 
Senior  Copy  Editor 
Cathy  Mallen 
Copy  Editor 
Susan  Bryant-Still 
Research  Specialist  and  Reporter 
Margaret  Locher 
Associate  Staff  Writers 
Christopher  Lynch,  Katherine  Walsh 
Editorial  Administrator 
Jill  Paquette 
Contributors 
Erik  Sherman, 

Bruce  Schneier 


A  World  of  Security  Lists 

Whether  you’re  concerned  about  your 
employees’  safety  while  doing  business 
internationally,  or  you  need  to  develop 
an  effective  disaster  recovery  strategy, 
this  collection  of  14  lists  regarding 
security  trends  around  the  globe  will 
help  you.  www.csoonline.com/120106 


Another  Year  of 
Surfing  Dangerously 

The  year  2006  provided  a  constant 
downpour  of  data  breaches,  targeted 
attacks  and  other  information  security 
incidents— all  trends  that  made  it  more 
difficult  for  the  CSO  to  raise  aware¬ 
ness  and  call  for  security-conscious 
behavior,  Sarah  D.  Scalet  writes  in 
CSOonline.com’s  ALARMED  column. 
“It  means  that  in  2007,  we  can  no 
longer  pretend  that  we’re  fighting  an 
acute  condition.  Information  security 
is  a  chronic  condition,”  Scalet  writes. 
www.csoonline.com/alarmed 


DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 
Associate  Art  Director 

Chandra  Tallman 


RESEARCH 

Research  Manager 
Carolyn  Johnson 
Senior  Research  Analyst 
Seanna  Maguire 

ONLINE  EDITORIAL 

Online  Editorial  Director 

Christopher  Lindquist 
Senior  Online  Editors 
Sandy  Kendall,  Paul  L.  Kerstein, 
Meridith  Levinson,  Esther 
Schindler,  Shawna  McAlearney 
Associate  Online  Editor 
Diann  Daniel 

Online  News  Writer  Al  Sacco 
Online  Copy  Editor  David  Gradijan 

INFORMATION  SYSTEMS 

IDG  Director  of  Information 
Services  Nancy  Newkirk 
IT  Manager  Sean  McCracken 
Senior  User  Support  Specialist 
Christopher  A.  Kay, 
Thomas  Lupien 
User  Services  Specialist 
Gloria  Lam 

Senior  Web  Developer 

David  Cohen 

Web  Developer  Sanghee  Seo 

CXO  MEDIA  /  IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 


Views  from  the  Field 
The  unexpected  security  risks  of 
an  airport  kiosk.  The  vulnerabili¬ 
ties  presented  by  business  partner 
network  links.  The  office  debate  you 
need  to  have  before  you  post  your 
organization’s  privacy  policy.  You 
will  find  these  and  other  provocative 
pieces  at  CSOonline.com’s  CAVEAT 
page.  Caveat  is  a  regular  opinion  col¬ 
umn  contributed  by  thought  leaders, 
scholars,  consultants  and  providers  in 
the  security  field.  They  express  their 
views.  You  are  invited  to  chime  in 
with  comments. 
www.csoonline.com/caveat 


News,  Freshly  Delivered 

Security  incidents,  breaches,  reports 
on  government  and  business:  They 
happen  every  business  day.  Rely  on 
CSOonline.com’s  SECURITY  FEED 
to  keep  you  informed.  Activate  a  news 
feed  to  have  the  news  delivered  to  yoi 
using  your  RSS  aggregator.  Go  to 
www.csoonline.com 


This  has  been  my  third  data  breach 
notice  in  the  past  year.  We  need  to 
place  value  on  the  information  that 
is  entrusted  to  us  to  protect.  Some 
institutions  still  don’t  get  it.” 


INTERNATIONAL  DATA  GROUP 

Board  Chairman 
Patrick  J.  McGovern 
President,  IDG  Communications 
Bob  Carrigan 


KEN  PFEIL 


BLOGS.CSOONLINE.COM 


PFEIL  NOT  FOUND 


&BPA 


4  www.csoonline.com  February  2007 


‘State:0*'** 

i  i«u>»i 


Select  Vocation  Day* 
PerWorVor  Per  Yo.Tr 


Natural  Dlruntcn. 
in  2005 


Select  Country 
Ratings.  In  the 
Corruption 
Perception  Index 


Select  Count*] 
Ralkngt  in  the 
Payers,  indn 


Highest  Reported 
Minder  Rates. 


A  World 
of  Lists 


Highest  Auto 
Theft  Rates 


IdvW  Cdn  UM  he  sure.  khaX  '■ 

~Our  cuslmcrs'  dv&lij-  card  d*hc 
is  encrupWcf? 

-  "there.  are  ho  hard-  -  codeA- 

pOSS  Words  in  our  apps  P 

-  ^ In  ore  art  ho  hack-  doers 

in  or  app $  7 

-  Xfi  a.  lap  bp  Ojocs  Missing 

Our  cLufro  doesn  ¥•  Qq  Vz>o  7 

~X-s  our  ^dfhware.  Secure.  ? 


THE  ANSWER  IS  OUNCE. 

THE  INDUSTRY'S  MOST  ACCURATE  AND  COMPLETE  SOURCE  CODE 

VULNERABILITY  ANALYSIS 


Get  the  answers:  www.ouncelabs.com/answers 


0  OUNCE  LABS 


866. 75. OUNCE 


WWW.OUNCELABS.COM 


©  2007  Ounce  Labs,  Inc. 


MySpace  Is  YourSpace 


By  now  you  re  aware  that  Time  magazine  has  named  You 
as  the  Person  of  the  Year  for  2006.  Congratulations. 


The  reason  for  this  honor  is  your  use  of  weblogs,  MySpace,  YouTube  and 
other  “social  media”  sites  such  as  Digg  and  Reddit,  and  so  on. 

OK,  probably  a  fair  number  of  “You ”—CSO  readers  specifically— aren’t 
using  those  tools  and  sites.  It’s  not  that  You  aren’t  cool.  You’re  certainly  cool 
in  my  book.  But  our  audience  demographic  is  currently  a  bit  older  than  the 
average  person  creating  Machinima  films.  (Google  that  if  You  have  to.) 

But  your  organization’s  employees,  now  they’re  a  different  story.  Even  at 
this  moment,  the  younger  end  of  your  workforce  is  probably  on  MySpace 
or  Facebook  or  Lord-knows-what-dot-com.  Wandering  around  looking  for 
trouble  in  Second  Life.  Texting  their  thumbs  down  to  tiny  nubs. 

The  reason  these  things  are  top  of  mind  for  me  is  that  the  publishing 
industry  is  undergoing  radical  transformation  at  the  hands  of  the  rapidly 
morphing  Web.  You’ll  see  our  website,  www.csoonline.com,  evolve  gradu¬ 
ally  over  the  coming  year  to  take  better  advantage  of  the  ever-changing 
Web.  Already  several  top-notch  CISOs  (Michigan’s  Dan  Lohrmann  and  Ken 
Pfeil  of  WestLB  AG)  are  blogging  on  our  site  to  share  their  experiences  and 
discuss  ideas  with  the  security  community.  If  you  find  Senior  Editor  Scott 
Berinato’s  story  on  metal  theft  (see  Page  26)  as  fascinating  as  I  do,  you’ll 
also  want  to  check  out  the  accompanying  Web  slide  show  he  put  together 
using  photos  supplied  by  DTE  Energy’s  CSO  Michael  Lynch  (view  it  at 


www.csoonline.com/020107).  We’ll  be  doing  more 
of  those,  as  well  as  creating  new  databases  and  news 
feeds  and  generally  finding  ways  to  make  valuable 
information  available  in  creative  new  online  formats. 

And  what  about  You?  What’s  your  company 
doing  with  blogs,  wikis  and  the  like?  Most  security 
coverage  of  these  technologies  seems  to  center  on 
either  the  threat  of  employees  accidentally  divulging 
sensitive  information  on  blogs  or  on  blog  spam,  or 
the  likelihood  of  security  holes  in  Ajax  code. 

These  risks  definitely  warrant  consideration. 
However,  this  is  no  time  for  security  to  get  pigeon¬ 
holed  (again)  as  obstructionist.  If  technology  is  creat¬ 
ing  new  communication  channels  and  employees  are 
embracing  them,  then  CSOs  are  better  off  making 
peace  with  these  channels  and  in  fact  pushing 
for  secure  adoption.  Is  there  a  way  to  use  a  wiki  or 
blogs  to  accelerate  knowledge  sharing  in  your  R&D 
department?  A  way  to  use  Yelp  or  some  Google  Earth 
mash-up  service  to  help  your  business  travelers? 

The  rise  of  social  media  isn’t  something  to  resist. 
It’s  another  opportunity  for  security  to  enable 
an  activity  that  provides  business  benefits.  Take 
advantage  of  it. 

-Derek  Slater 
dslater@cxo.com 


6  www.csoonline.com 


February  2007 


PHOTO  BY  WEBB  CHAPPELL 


Think  again . 


Think  you've  got  the  latest, 
most-advanced  IT  infrastructure 
on  earth? 


Approved  by 
Department 
of  Software 


bigfix.com/ 

softwaretruth. 


If  you're  not  using  BigFix  to  automate  all  your  IT  security 
and  IT  operations  then  you  might  as  well  be  using 
punch  cards. 

You're  a  modern  business.  You're  built  on  an  intricate 
web  of  partners,  suppliers,  distributors,  and  customers. 
You're  interconnected  through  global,  mobile  networks. 
You're  running  highly  distributed  SOA  and  advanced 
web-based  applications.  You're  open  24x7x365. 


All  in  real-time  from  a  single  console.  BigFix  plugs  into 
what  you  already  have  in  order  to  make  it  work  like  it 
should  have  out  of  the  box. 

60-Day  Prove-IT  Trial 

More  than  500  of  the  world's  largest,  most  productive 
and  secure  organizations  are  passionate  BigFix  customers. 
Find  out  why  with  a  60-Day  Prove-IT  Trial. 


You've  Never  Been  More  Exposed 

IT  must  keep  your  systems  and  networks  managed,  up- 
to-date,  and  in  compliance,  while  protecting  against 
spyware,  viruses,  attacks,  and  intrusions. 

If  IT  fails,  you're  out  of  business  -  or  worse. 

You'd  better  be  armed  with  BigFix,  the  single  converged 
IT  security  and  operations  engine.  BigFix's  proactive 
single-agent,  multi-function  architecture  enables 
continuous  discovery,  assessment,  remediation,  and 
reporting  for  complex  and  distributed  IT  environments. 


Think  What's  Next.  Think  BigFix. 

www.bigfix.com/ITnext 

See  us  at  RSA  Booth  #746 


BIGFIX 

IT  Just  Works. 


The  State  of  Privacy 


Over  the  past  two  years,  I’ve  spent  a  lot  of  time  looking  at 
how  the  issue  of  privacy  is  impacting  businesses  around 
the  world.  In  the  wake  of  numerous  high-profile  breaches 


we  have  been  witness  to  during  this  time,  one  comes  to  appreciate  the 
unique  challenge  that  all  organizations,  including  CSO,  face  when  they 
address  the  privacy  issue. 

We  speak  often  about  the  impact  that  government  and  industry  regula¬ 
tions  have  made  as  drivers  of  security  investment.  With  respect  to  privacy 
issues,  that  is  certainly  true.  And  few  laws  have  impacted  business  more 
than  California’s  breach  notification  law,  SB  1386.  It’s  a  simple  law  requiring 
organizations  that  experience  a  breach  of  customer  data  to  let  the  customer 
know.  That  one  law  has  changed  how  businesses  perceive  privacy  and  how 
they  address  it.  It  has  made  privacy  a  business  issue  and  has  further  made 
good  privacy  protections  a  component  of  good  business  practice. 

Why?  I  believe  that  Larry  Ponemon’s  research  sums  it  up  best.  Through 
his  Ponemon  Institute,  his  research  has  discovered  that  each  lost  (compro¬ 
mised)  customer  record  costs  a  company  an  average  of  $182,  and  that  hav¬ 
ing  to  notify  those  customers  of  the  breaches  has  far-reaching  implications 
on  the  business.  Of  the  23  million  adults  who  have  been  notified  that  their 
data  had  been  lost  or  compromised,  20  percent  terminated  their  accounts 
and  another  40  percent  consider  doing  so.  (So  much  for  identifying,  reach¬ 
ing  and  retaining  your  best  customers.)  It  was  this  simple  act  of  notification 
that  forced  the  boardroom  to  wake  up  and  take  notice. 

The  legal  implications  of  this  awakening  are  deep  and  complex.  My  good 
friend  Christopher  Wolf,  an  attorney  at  the  law  firm  of  Proskauer  Rose, 
recently  wrote  a  treatise,  “Proskauer  on  Privacy,  a  Guide  to  Privacy  and  Data 
Security  Law  in  the  Information  Age.”  He’s  done  a  wonderful  job  spanning  the 


breadth  of  the  topic  and  provides  a  thorough  exami¬ 
nation  of  the  legal  issues  that  must  be  addressed.  At 
four  inches  thick  it’s  not  a  great  beach  book  but  one 
that  I  would  strongly  recommend  you  give  to  your 
general  counsel  as  a  belated  Christmas  gift. 

Back  in  2002  when  we  first  launched  CSO  I  was 
fortunate  to  meet  Rebecca  Whitener,  EDS’s  chief  risk 
officer  and  an  EDS  fellow.  As  I  struggled  to  make 
the  connection  between  privacy  and  security,  she 
brought  it  clearly  into  perspective  for  me.  She  said, 
“Without  good  security  there  is  no  privacy.”  It’s  that 
simple.  The  work  that  all  of  you  do  to  secure  your 
organizations  creates  the  foundation  upon  which 
your  organizations  can  ensure  that  they  meet  their 
obligations  with  regard  to  privacy. 

It’s  a  never-ending  challenge.  You  must  continue 
to  “educate  up,  down  and  out”  and  make  sure  that 
the  people  in  your  organization  understand  the  value 
of  good  privacy  and  the  risks  associated  with  not 
maintaining  your  vigilance. 

In  2007  CSO  will  be  focusing  again  on  this  issue 
and  its  impact  on  business  in  our  CSO  Executive 
Seminars  on  Privacy,  to  be  held  this  April  in  Chicago 
and  Washington,  D.C.  You  can  visit  www.csoonline. 
com/conferences  for  more  information  on  these  one- 
day  conferences  and  to  register  to  attend. 

-Bob  Bragdon 
bbragdon@cxo.com 


8  www.csoonline.com  February  2007 


PHOTO  BY  CHRISTOPHER  NAVIN 


•  ;  . 


The  Authenex  Strong  Authentication  System  (ASAS® )  is  the  most 
advanced,  cost-effective  network  security  system  with  two-factor 


i  i 


authentication  for  LAN,  remote  VPN  and  web  access.  Consisting  of  the 


ASAS  Server  and  a  chip-based  token  called  the  A-Key  ,  ASAS  provides 


PKI  Challenge-Response  or  One-Time  Password  authentication  to  your 


users,  wherever  they  are.  Because  the  A-Key  token  is  secure,  even  if  it 


is  lost  or  stolen,  it  is  unusable  to  anyone  but  its  owner  and  administrator. 


FOR  MORE  INFORMATION 


www.authenex.com  or  call  1 .877. AUTHENEX 


mmm 


3-way  Protection;  One  Token 

One-Time  Password,  PKI  (Certificates)  or  Challenge-Response  Authentication 
-  all  available  on  the  same  key. 

Quick  and  Easy  Installation 

The  ASAS  solution  is  fully  compatible  with  existing  IT  infrastructure,  VPN  and 
Firewall,  via  RADIUS  and  TCP/IP.  Installation  usually  takes  less  than  30 
minutes. 


Mobile  Identity 

The  available  My  A-Key™  feature  stores  user  profiles  which  can  be  utilized  with 

applications,  such  as  Single-Sign  On.  For  PKI  applications,  the  ACert™  function 
stores  digital  certificates  and  signatures  on  the  A-Key  token. 


Ruth  enex 


Cost  Effective  Solution 

An  all-in-one  solution  utilizing  Authenex  proprietary  technology  makes  the  ASAS 
solution  very  affordable  and  ensures  a  quick  return  on  investment. 


©2006  Authenex,  Inc.  All  rights  reserved.  Authenex  A-Key,  ASAS,  ACert,  My  A-Key  and  associated  logos  are  registered  or 
unregistered  trademarks  of  Authenex.  Inc,  All  other  registered  or  unregistered  trademarks  are  the  property  of  their  respective  owners. 


csoletters@cxo.  com 


How  to  Reach  Us 


Finding  the  Focus 

GOOD  RECIPE  ["How  to  Build  a  Sur¬ 
veillance  Camera  System,”  December], 
but  I  disagree  on  reducing  image  quality 
right  from  the  start,  for  reason  of  storage 
capacity  and  bandwidth  needed.  Instead 
of  requiring  a  specific  resolution,  formu- 

PA55  WORD :  XXXX 

*  fe  Mmm 


late  end  user  requirements.  For  example, 
if  you  say,  “I  need  to  recognize  people’s 
faces  when  monitoring  and  replaying 
stored  images  upon  an  incident,”  then 
the  outcome  will  be  a  choice  of  resolution, 
camera  distance  and  number  of  cameras 
for  sufficient  coverage.  Or  if  you  say,  “I 
need  video  evidence  against  pickpocket¬ 
ing,”  then  the  outcome  wall  be  storage 
resolution  (2CIF,  4CIF)  and  frame  rate 
(12.5  frames  per  second). 

JAN  VAN  BOXELAERE 

Solution  Designer 

Siemens  Enterprise  Comms  N.V. 

Belgium 

JUST  WANTED  to  point  out  what  a 
great  article  that  was,  but  the  part  about 
storage  was  wholly  inaccurate.  MPEG-4 
transmits  data  based  upon  a  change  in 
the  background  of  the  frame.  The  author 
used  static  values  (which  were  inaccurate 
as  well)  and  has  really  done  a  disservice 
to  the  network  recorded  video  com¬ 
munity.  I  am  storing  10  to  13  cameras  at 
4CIF  (640x480)  at  25  frames  per  second 
and  40  percent  to  50  percent  compres¬ 
sion  on  around  2  terabytes  for  30  days. 


Even  uncompressed  that  data  would  not 
come  close  to  the  figures  that  the  author 
uses  due  to  the  algorithm  that  the  MPEG- 
4  codec  uses. 

ROSS  I.  GREVES 

Associate,  Kroll 

Recipe  for  Success 

ALAS,  THE  answering  of  questions 
and  checking  the  IP  address  and  time 
zone  do  absolutely  nothing  to  protect  a 
user  whose  PC  has  been  Trojaned  [“Suc¬ 
cess  Factors,”  November].  The  logger 
installed  by  the  Trojan  will  capture  it  all, 
and  then  the  remote  attacker  can  log  in 
to  the  user’s  PC  and  use  them  there.  My 
financial  information  was  stolen  through 
a  bank  in  Ohio  that  had  been  hacked  this 
way.  I  had  no  relationship  with  the  bank! 
Banks  should  be  ashamed  of  themselves 
for  waffling  on  this  important  matter. 
One-time  passwords  solve  these  issues. 

JAMES  ROME 

Consultant,  Scientific  Endeavors 

I  UNDERSTAND  the  reluctance  of 
most  individuals  to  utilize  a  token  to 
generate  a  changing  PIN,  but  they  don’t 
understand  the  risk.  Personally,  I  would 
favor  using  only  a  card  for  ATM  trans¬ 
actions,  but  a  one-time  PIN  for  online 
transactions,  such  as  bill  payments, 
transfers  and  other  “over  the  Internet” 
activity. 

JIM  PRINCEHORN 

Senior  Security  Advisor 

Business  Protection  Specialists 

Authentication  Clarification 

I  THINK  you  (and  many  in  the  indus¬ 
try,  including  the  vendors)  are  confused 
by  the  difference  between  federated 
identity  (FI)  and  single  sign-on  (SSO) 
[“The  Truth  About  Federated  Identity 
Management,”  October].  FI  means  that 
an  identity  stored  in  a  central,  trusted 
“federated”  database  is  used  for  authenti¬ 
cation  (and  often  authorization)  on  dis¬ 
parate  systems.  SSO  uses  protocols  such 


E-MAIL 

csoletters@cxo.  com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine,  492  Old  Connecticut  Path, 

P.0.  Box  9208,  Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

Phone:  866  354-1125  Fax:  847  564-9453 
E-mail:  cso@omeda.com 

REPRINTS 

For  article  reprints  (100  quantity  or  more), 
contact  Jennifer  Eclipse  at  PARS  International  at 
212  221-9595  x237  or  e-mail  jeclipse@parsintl.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research,  con¬ 
ferences  and  events,  informs  more  people  about 
technology  than  any  other  company  in  the  world. 
Offering  the  widest  range  of  media  options,  IDG 
reaches  more  than  120  million  technology  buyers 
in  85  countries  representing  95  percent  of  world¬ 
wide  IT  spending.  IDG  publishes  more  than  300 
newspapers  and  magazines  in  85  countries,  led  by 
the  Computerworld,  Infoworld,  Macworld,  Network 
World.  PC  World  and  CIO  global  product  lines.  IDG 
offers  online  users  the  largest  network  of  technol¬ 
ogy-specific  sites  around  the  world  through  IDG 
.net  (www.idg.net).  a  gateway  to  IDG’s  330  websites 
powered  by  more  than  2,000  journalists  reporting 
from  every  continent  in  the  world.  IDG  also  produces 
168  technology-related  conferences  and  events, 
and  research  company  IDC  provides  global  market 
intelligence,  analysis  and  forecasts  in  43  countries. 


as  SAML  to  authenticate  a  federated 
identity  to  disparate  systems.  Imagine 
using  your  debit  card  at  a  retailer— using 
the  federated  identity  of  your  account 
authenticated  by  the  card,  card  number 
and  PIN— and  then  being  told  at  the  next 
retailer  that  you  didn’t  need  to  enter  your 
PIN  again  since  they  have  SSO  with  the 
other  vendor.  FI  means  a  single  set  of 
credentials  may  be  used  many  times  dur¬ 
ing  the  worker’s  day.  SSO  means  the  user 
need  enter  those  credentials  only  once 
per  predefined  period  (day,  hour,  etc.). 

ALAN  THOMPSON 

Information  Security  Officer 

SRPMIC 


We  want  to  hear  from  you 

TO  RESPOND  to  articles  you’ve  read  in 
CSO,  write  to  us  at  csoletters@cxo.com.  We 
welcome  your  thoughts  and  suggestions. 


10  www.csoonline.com  February  2007 


VeRDASYS 


DATA  LOSS  PREVENTION 

I  i  hI 


Advertising  Supplement 


jsas 

"With  Digital  Guardian  we  are 
able  to  reduce  our  risk  and 
provide  the  level  of  security 
needed  around  all  our  data. 
We  are  now  able  to  verify  that 
the  company's  intellectual 
property  is  being  used  prop¬ 
erly  and  in  compliance  with 
corporate  policies,  relevant 
regulatory  requirements  and 
industry  best  practices." 

CHIP  KELLY 

SYSTEM  AND  INFORMATION 
SECURITY  MANAGER 
SAS 

SAS,  the  leader  in  business 
intelligence  software  and 
services,  implemented  Digital 
Guardian  for  protection  of 
valuable  outsourced  data  and 
intellectual  property  in  its 
offshore  operations. 


DATA  LOSS  PREVENTION 

Verdasys'  Data  Loss  Prevention  solutions  protect  information,  applications  and  processes 
essential  to  maintaining  the  market  value,  proprietary  assets,  intellectual  property,  reputation 
and  process  integrity  of  a  global  enterprise.  Through  our  Digital  Guardian  platform, 
Verdasys  provides  unparalleled  visibility  and  control  of  information  throughout  an  organization, 
as  well  as  its  extended  global  supply  chain.  Digital  Guardian  establishes  a  secure  virtual 
perimeter  around  business  processes  providing  enterprise  data  containment,  information 
policy  management,  regulatory  and  privacy  assurance  and  secure  outsourcing  across  the 
global  enterprise. 

Traditional  information  security  strategy  and  technology  does  not  adequately  address 
broad,  rapidly  growing  and  related  requirements  for  enterprise  information  risk  management. 
This  is  evidenced  by  publicly  embarrassing  and  growing  corporate  data  loss,  dramatic 
data  privacy  breaches  as  well  as  rising  information  related  crime,  such  as  corporate  IP 
theft,  and  online  identity  based  fraud.  Numerous  security  experts,  polls,  pundits,  media 
reports,  and  most  importantly  -  senior  executives  at  hundreds  of  leading  companies 
around  the  world  confirm  that  reported  incidents  are  just  the  tip  of  an  iceberg. 

Ultimately,  these  incidents  are  related  and  derive  from  networked,  collaborative  business 
processes  that  give  corporate  users  and  customers  data  on  demand;  whenever,  wherever 
and  however  they  access,  use  or  move  information.  These  risks  are  driven  by  powerful 
global  business  trends  that  contribute  to  strong  growth  in  the  world's  largest  companies 
while  increasing  the  risk  and  costs  associated  with  data  loss,  misuse  and  business 
process  compromise. 

•  Global  businesses  distribute  valuable  customer  and  corporate  information 
around  the  world  creating  unprecedented  economic  opportunity  for  growth, 
as  well  as  enormous  potential  for  uncontrolled  data  liability,  misuse  or  loss 

•  New  storage  technologies,  web  based  applications  and  high-speed  networks 
make  it  easier  for  complex  webs  of  partners,  customers  and  even  competitors 
to  interact  constantly  in  real-time,  exchanging,  storing  and  accessing  valuable 
commercial  information  at  increasing  rates  with  decreasing  cost 

•  Mobile  workers  and  outsourcing  give  global  companies  powerful  competitive 
advantages  and  comprise  permanent  trends  -  yet  increasingly  put  valuable  or 
regulated  data  at  risk  in  countries  that  limit  U.S.  and  European  legal  recourse 

•  Governance  and  privacy  legislation  make  corporate  directors  and  senior  level 
management  directly  responsible  for  risks  to  customer  data  and  business  process 
assurance,  dramatically  increasing  the  effort  and  costs  related  to  audit  and  compliance 

In  tracking  these  trends  and  developing  Verdasys  over  the  past  3  years  we've  had  the  honor 
and  opportunity  to  interact  with  thousands  of  CIO's,  CISO's,  IT  managers  and  business 
executives.  All  of  them  want  and  need  the  ability  to  cost-effectively  manage  these  risks 
without  impeding  their  business.  Working  with  prospects  and  customers  we've  defined 
and  delivered  technology  driven  solutions  that  provide  Data  Loss  Prevention,  Enterprise 
Data  Containment,  Information  Policy  Management,  Secure  Outsourcing  and  Regulatory 
Assurance.  Our  Digital  Guardian  solutions  identify  issues  of  data  loss  or  non-compliance, 
automatically  correct  or  prevent  data  loss  and  adaptively  manage  these  risks  before  an  incident 
causes  the  enterprise  a  loss  of  equity  value  or  serious,  direct  or  indirect  economic  losses. 


VERDASYS  INTEGRATED  APPLICATIONS 


Advertising  Supplement 


Application  Compliance 

The  Verdasys  Adaptive  Compliance  platform  enables  centralized  logging,  masking 
and  analysis  of  data  in  use  across  legacy,  web-services  and  client-server  applications 
from  a  single  central  platform.  Digital  Guardian's  Adaptive  Compliance  Modules  include 
the  Application  Logging  Module  and  the  Application  Masking  Module.  Using  Application 
Compliance,  a  company  will  gain  field-level  visibility  (Logging)  and  field-level  blocking 
(Masking)  of  sensitive  data  usage  by  end-users  while  accessing  their  applications  (including 
the  recording  of  login,  view,  creation,  change,  and  deletion  actions  by  end-users).  The 
Application  Compliance  Modules  extend  the  comprehensive  monitoring  and  control 
capabilities  of  the  core  Digital  Guardian  solution  to  protect  data  delivered  by  enterprise 
applications  to  desktops  and  laptops  via  3270  terminal  emulators,  web-based  applications, 
and  client-server  applications.  In  the  past,  this  information  has  proven  to  be  particularly 
difficult  to  log,  monitor  and  protect  because  of  the  heavy  integration  and  extensive 
re-programming  work  necessary  to  modify  legacy  programs  and  databases  to  incorporate 
logging  and  security  features.  Verdasys'  Adaptive  Compliance  solutions  now  make  it 
possible  to  protect  the  data  handled  by  enterprise  applications,  without  the  need  for 
expensive  recoding  or  modification  of  the  applications  themselves. 

Adaptive  Encryption 

The  Adaptive  E-Mail  and  File  Encryption  solutions  extend  the  comprehensive  monitoring 
and  control  capabilities  of  the  core  Digital  Guardian  solution,  to  include  the  application 
of  proven  data  encryption  technology  to  selectively,  or  "adaptively"  protect  corporate 
data.  Using  the  Adaptive  Encryption  Modules,  companies  can  now  flexibly  apply 
encryption  to  protect  proprietary  and  sensitive  information  in  corporate  email  messages 
and  attachments  and/or  in  the  form 
of  files  in  order  to  bring  them  into 
compliance  with  corporate  policies 
and  regulations  governing  the  use 
of  such  data.  Digital  Guardian's 
Adaptive  Encryption  is  unique  in  that  it 
delivers  the  full  benefits  of  encryption, 
without  the  drawbacks  normally  asso¬ 
ciated  with  the  use  of  this  technology  (such  as  the  need  to  implement  complex  key 
management  procedures,  and/or  to  develop  special  document  exchange  procedures  for 
use  with  outside  partners).  This  patented  capability  permits  companies  to  apply  policy- 
based  encryption  only  where  it  is  needed,  and  in  a  manner  that  is  totally  transparent 
to  end-users.  For  instance,  Adaptive  E-Mail  Encryption  can  be  used  to  transparently 
encrypt  data  uploaded  via  email  addressed  to  recipients  outside  the  organization. 

Data  Protection  Policy  Package 

In  order  to  accelerate  the  process  of  deploying  Digital  Guardian  into  large  enterprises 
Verdasys  has  created  a  number  pre-defined  rules  and  policies.  These  rules  have  been 
organized  into  a  data  protection  policy  packs  containing  pre-written  rules  and  configuration 
settings  that  were  developed  based  on  experience  gained  by  working  with  our  customers 
to  address  Enterprise  Data  Containment,  Intellectual  Property  Management,  Secure 
Outsourcing  and  Regulatory  Assurance. 


Assesses  Need  to 
Encrypt  Based  on 
Context  of  Use 


/ 


Digital  Guardian 
Automatically 
Decrypts  at  Time  of 
Use  -  Policy  Based 


CIGNA 


"Digital  Guardian  is  a  business 
enabler.  For  example,  we 
wouldn't  be  able  to  achieve 
the  significant  business 
benefits  outsourcing  offers 
without  it." 

CRAIG  SHUMARD,  CISO 
CIGNA 

CIGNA,  one  of  the  nation's 
largest  providers  of  workplace 
health  and  related  benefits, 
implemented  Digital  Guardian 
to  ensure  that  users  at  its 
outsourcing  partners  do  not 
inadvertently  or  intentionally 
violate  CIGNA's  information 
security  policies. 


VeRDASYS 

"Verdasys  customers  are 
consistently  finding  that  a 
combination  of  users  facing 
soft  policies  (warn,  prompts, 
alerts)  with  our  data  level 
transaction  monitoring, 
reduced  undesirable  data 
loss  or  data  misuse  by  almost 
95%,  showing  a  dramatic 
decrease  in  overall  data 
threat  space." 

NICK  STAMOS,  PRESIDENT 
VERDASYS 


Advertising  Supplement 


CONTEXT,  CONTENT  AND  LOCATION  AWARENESS 

To  establish  a  secure  virtual  perimeter  around  an  enterprise,  Verdasys  Digital 
Guardian's  Data  Loss  Prevention  solution  integrates  comprehensive  context,  content 
monitoring  and  location  awareness  along  with  encryption  and  data  level  access  controls 
to  reduce  the  risk  of  information  loss  or  misuse  and  to  protect  information  and  associated 
business  processes  while  at  the  same  time  minimizing  the  total  cost  and  impact  to 
ongoing  operations.  This  approach  is  designed  to  prevent  data  from  leaving  the 
enterprise  through  three  possible  paths  of  exit  -  via  devices,  applications  or  network 
connections.  In  cases  where  corporate  policy  or  regulations  requires  encryption  of 
all  mobile  data,  Digital  Guardian  can  transparently  encrypt  data  files  and/or.email 
transparently,  to  bring  information  transfer  into  automatic  compliance. 

Integrating  Digital  Guardian's  Adaptive  Content  Inspection,  a  world-class  content 
monitoring  and  filtering  tool,  users  can  configure  the  system  to  detect  highly  sensitive 
information,  such  as  corporate  contracts  and  employee  information,  by  enabling 
authorized  agents  to  search  for  entities  such  as  names,  addresses,  phone  numbers, 
as  well  as  critical  keywords.  Flexible  and  customizable  entity  extraction,  keyword  matching, 
multi-lingual  and  document  similarity  capabilities  transparently  operate  across  more  than 
250  file  formats  to  assure  accurate  content  inspection  and  classification. 

Digital  Guardian  has  a  range  of  options  for  determining  both  context,  as  well  as  the 
actions  it  takes  in  protecting  information.  For  instance,  in  determining  context;  a  name 
of  a  server  or  a  specific  area  of  a  server  can  be  defined  as  sensitive  or  proprietary,  a 
set  of  user  machines  or  a  specific  device,  or  even  a  network  location  can  determine 
which  information  should  be  protected.  In  cases  where  specific  documents  or  types  of 
documents  need  protection,  context  can  be  set  based  on  the  type  of  application  (i.e. 
an  excel  spreadsheet)  or  the  files  themselves  can  be  scanned  for  specific  content  or 
content  patterns  (i.e.,  social  security  numbers,  account  numbers,  etc.).  Document  tags 
can  also  be  used  in  determining  how  to  treat  a  document. 

Combining  context  and  content  monitoring,  Digital  Guardian  uses  straight  forward, 
user-defined  policies  to  determine  what  action  should  be  taken  in  protecting  the 
information.  Protective  actions  may  include  a  simple  screen  warning  to  the  end-user 
when  they  are  about  to  violate  corporate  policy  with  the  action  they  are  taking.  These 
warnings  can  be  set  to  require  users  to  add  a  text  justification  of  their  action  when 
prompted.  When  necessary,  user  actions  can  be  blocked  outright,  preventing  the 
specific  user  actions  from  taking  place  and  sending  an  alert  to  administrators. 


Where  Did  the  What  is  the  User  Policy  and  Actions 

Data  Come  From?  Doing  with  It? 

(What  Type?)  (Read,  Write,  Print,  Move, 

Burn,  Copy/Paste,  Upload,  etc.) 


Where  Is  the 
Data  Going? 


Autonomy 

"The  risk  posed  by  unautho¬ 
rized  distribution  of  data 
to  and  from  an  enterprise 
must  be  managed  effectively. 
We  are  pleased  that  our 
products  have  become  critical 
components  of  the  Verdasys' 
data  security  solution." 

MIKE  LYNCH,  CEO 
AUTONOMY 

Verdasys  has  integrated 
Autonomy's  IDOL  platform, 
as  well  as  its  Extractor  and 
Profiler  technologies  to  extend 
Digital  Guardian's  data  protection 
and  business  process  integrity 
management  capabilities  by 
enabling  authorized  agents 
to  search  for  entities  such 
as  names,  addresses,  phone 
numbers,  as  well  as  critical 
keywords. 


Networks 


Advertising  Supplement 


Verdasys  Data  Loss  Prevention: 

INTEGRATES  COMPREHENSIVE  CONTEXT,  CONTENT  AND  LOCATION 
AWARENESS  along  with  encryption  and  data  level  access  controls  for  scalable 
data  loss  prevention 

ENABLES  COMPANIES  TO  ENGAGE  IN  PROACTIVE  INFORMATION 
RISK  MANAGEMENT  to  reduce  the  risk  of  data  loss  or  misuse  and  minimize 
regulatory  liability  from  inappropriate  data  usage 

ASSERTS  CENTRALIZED,  COMPREHENSIVE  ENTERPRISE-WIDE  DATA 
LEVEL  VISIBILITY  AND  CONTROL  across  any  user,  system  and  application 
everywhere  data  is  accessed  or  used 

ASSURES  APPROPRIATE  USE  OF  INFORMATION  ASSETS  regardless  of 
where,  how  or  when  they  are  accessed,  across  devices,  applications  and  all 
channels  of  communication 

EXTENDS  BEYOND  THE  CORPORATE  PERIMETER  AND  GOES  WHEREVER 
THE  DATA  GOES,  addressing  internal  and  external  information  risk 

PROVIDES  CONTINUOUS  ENFORCEMENT,  ACCOUNTABILITY,  AUDIT 
AND  AWARENESS  of  corporate  information  policies 

TRANSCENDS  INFRASTRUCTURAL,  GEOGRAPHIC  AND  CORPORATE 
BOUNDARIES,  protecting  the  complete  extended  logical  enterprise  and 
global  business  processes 

SCALES  TO  ENTERPRISE  LEVELS  without  impacting  IT  or  organizational 
performance 

OPERATES  SEAMLESSLY  WITH  EXISTING  ENTERPRISE  IT  ARCHITECTURE 
AND  APPLICATIONS  requ  iring  no  change  to  existing  business  process 
or  organization 


BROADCOM. 


"Digital  Guardian's  unique 
capabilities  to  centrally  monitor, 
and  control,  at  point  of  use, 
our  high  value  corporate  data 
and  intellectual  property  across 
our  global  operations,  including 
engineering,  business  and 
manufacturing  processes 
integral  to  our  supply  chain, 
makes  it  an  ideal  solution." 

KEN  VENNER,  CIO 
BROADCOM 

Broadcom,  a  global  leader  in 
semiconductors  for  wired  and 
wireless  communications, 
implemented  Digital  Guardian 
for  company-wide  protection 
of  digital  intellectual  property, 
with  a  strong  focus  on  secure 
outsourcing  and  outsourced 
data  protection. 


CONVERGYS 
•  •  •  •  • 

Qutthinking.  Out  doing 

"The  ability  to  continuously 
audit  sensitive  data  use  and 
implement  real-time,  risk- 
appropriate  controls  for 
provably  secure  outsourcing 
is  a  key  competitive  advantage 
in  the  IT  outsourcing,  business 
process  outsourcing,  and  call 
center  business." 

BOB  LYONS,  SENIOR  VICE 

PRESIDENT 

CONVERGYS 


VCRDASYS 

BUSINESS  PROCESS  INTEGRITY 


Corporate  Headquarters 

950  Winter  Street 
Waltham,  MA  02451 
info@verdasys.com 
781-788-8180 


EMEA  Headquarters 

400  Thames  Valley  Park 
Drive 

Reading  RG6  1 PT 
United  Kingdom 
emea@verdasys.com 
+44  118  965  3512 


APAC  Headquarters 

Shinjuku  Sky  Bldg.  6F 
1-18-8  Nishi  Shinjuku 
Shinjuku-ku 
Japan 

apac@verdasys.com 
+81  3  5909  1278 


www.verdasys.com 


Convergys,  a  global  leader  in 
providing  customer  care,  human 
resources,  and  billing  services, 
implemented  Digital  Guardian  for 
data  protection  and  information 
risk  management  throughout 
their  U.S.  and  overseas  operations 
to  advance  the  standard  of  care 
in  protecting  customer  data  and 
assuring  the  privacy  and  integrity 
of  information  in  its  business 
processes. 


r0  2007  Verdasys,  Inc.  All  Rights  Reserved.  Verdasys,  the  Verdasys  logo,  Digital  Guardian,  and  the  Digital  Guardian  logo  are  trademarks  of  Verdasys, 
owners.  The  content  of  this  document  is  subject  to  change  without  notice.  V2  1-01-07 


Inc.  All  other  logos  are  the  property  of  their  respective 


July  17-18,  2007  :  New  York,  NY 


spies  to  include: 

Structuring  a  Business  Continuity 
Plan:  Treatment  to  Prevention 

Legal  Requirements 

The  Looming  Threats: 

Terrorism  to  Pandemic 

Selling  the  Plan 

Business  Resiliency  in  the 
Supply  Chain 

Personnel  Training  &  Exercises 

Outsourcing/Insourcing 

Succession  Planning 

Crisis  Case  Studies 

Original  Research:  Best  Practices  in 
Business  Continuity 

Technology  Breakouts 
Platinum  Sponsor: 

[ 

UNiSYS 

imagine  it.  done. 


The  Three  Key  Pillars  of  Resiliency: 

CIO  &  CSO  Business  Continuity  Forum  2007...  Building 
the  Resilient  Enterprise  will  provide  attendees  with  the  key 
strategic  and  tactical  skills  necessary  to  address  the  issues 
of  continuity,  recovery  and  resiliency  in  their  enterprises. 
Attendees  will  walk  away  with  the  knowledge  of  how  to 
enable  enterprise  resiliency  within  their  organizations. 

If  you  are  a  CIO,  CSO,  CTO  or  other  business  technology 
executive  you  won’t  want  to  miss  this  program! 

Mark  your  calendars  now  to  attend  CIO  &  CSO  Business 
Continuity  Forum  2007*. .Building  the  Resilient 
Enterprise.  Visit  www.cio.com/bc_2007  or  call 
800.366.0246  for  additional  program  information. 


Presented  by: 


Business 

Technology 

Leadership 


CSO 


The  Resource  for 
Security  Executives 


Underwriters: 


ProCurve  Networking 

HP  Innovation 


SUNGARD  ftKSL 

Availability  Services  Connected 


IMPROVE  YOUR 
PROFESSIONAL  SKILLS 
(ADVANCE  TO 
CREDIBILITY  AVENUE) 


•ISACA 

Serving  IT  Governance  Professionals 


B"  'i 


y-2 


Or 


Va 


CISA 

Certified  Information  Systems  Auditor” 


Exam  Registration  Deadline:  11  April  2007 
Exam  Date:  9  June  2007 


CERTIFIED  INFORMATION 
SECURITY  MANAGER* 


www.  isaca.  org/csomag 


News,  Stats  and  Fast  Facts  Edited  by  Michael  Goldberg 


,i|  MS  A  J  *  t  ■  . ,  ■  i 

1 » 

flj  1  jfc 

■  r  > 

i  \ 

MfMi  '  p  %  ~ 

%%%{  Br  * '  .  A 

vf  1 

c.-..  ••  ..  •  ,  ^ 

INVESTIGATIONS  Jorge  Villagran 
supervises  one  of  the  most  important  and 
sensitive  projects  in  Guatemalan  his¬ 
tory:  preserving  and  digitizing  a  massive 
trove  of  documents  from  the  National 
Police  files  so  that  the  country  can  gather 
evidence  about  human  rights  abuses  and 
bury  the  last  vestiges  of  a  brutal  civil  war. 

Long  thought  destroyed,  lost  or  simply 
nonexistent,  the  estimated  80  million 
documents  were  discovered  by  accident 
in  July  2005  in  abandoned,  half-finished 
buildings  in  Guatemala  that  were  overrun 
with  bats,  rats,  mold,  termites  and  insects. 
Authorities  believe  the  archives  from 
the  National  Police  contain  invaluable 
evidence  about  human  rights  atrocities 
committed  during  Guatemala’s  36-year 
civil  war  that  killed  200,000  people  and 
ended  with  a  peace  pact  in  1996.  (The 


accord  between  the  government  and  leftist 
guerillas  abolished  the  National  Police. 
Guatemala  is  now  a  democracy.) 

“The  discovery  of  these  files  is  extremely 
important,  because  their  existence  had 
always  been  denied,  and  now  it  turns 
out  that  not  only  do  they  exist,  but  their 
volume  is  massive,”  says  Villagran. 

For  10  years,  human  rights  groups  have 
worked  tirelessly  to  document  crimes  that 
occurred  during  the  war.  But  official  evi¬ 
dence  proving  that  the  police  and  the  mili¬ 
tary  kidnapped,  murdered  and  tortured 
citizens  because  of  their  political  beliefs 
has  been  hard  to  come  by.  Until  now. 

Villagran  works  for  the  government- 
backed  Human  Rights  Ombudsman 
Office,  whose  mission  is  to  clean,  safe¬ 
guard,  organize  and  analyze  the  docu¬ 
ments  in  search  of  evidence  of  past  crimes. 


Workers  look  through  documents  found  inside  an 
ammunition  bunker  in  Guatemala  City  as  part  of 
an  investigation  into  past  human  rights  abuses. 

The  goal  is  to  bring  human  rights  abusers 
to  justice.  “All  the  testimonies  gathered  [in 
previous  investigations]  are  from  victims. 
This  is  the  other  side  of  the  coin.  These 
are  official  documents,”  Villagran  says, 
explaining  the  official  version  of  history. 

First,  Villagran’s  agency  needed  to 
protect  the  documents,  by  refurbishing 
the  abandoned  document  storehouses. 
Security  guards  are  on  duty  around  the 
clock.  Next  came  records  preservation. 

A  project  to  digitize  the  documents  and 
load  them  into  databases  is  under  way  to 
make  the  documents  available  electroni¬ 
cally  for  analysis.  (Future  plans  call  for 
posting  the  documents  on  the  Web.) 

(Con  tinued  on  next  page) 


PHOTO  BY  DANIEL  LECIAIR/REUTERS 


February  2007  www.csoonline.com  13 


( Continued from  previous  page) 

Villagran  says  his  agency  uses  a  Kodak  scanner  to  digitize  docu¬ 
ments  and  a  Minolta  scanner  to  digitize  bound  records.  Workers 
often  have  to  clean  the  documents  and  feed  sheets  by  hand.  “There 
are  books,  notebooks,  individual  sheets,  standard  paper,  onion  paper, 
colored  paper,  paper  covered  with  mold,  old  paper,  new  paper,”  Vil¬ 
lagran  says. 

Villagran’s  team  has  worked  with  consultants  to  create  an 
archiving  system  to  classify  records  by  type  to  help  investigators 
sort  through  them.  “Mining  these  documents  for  their  human  rights 
information  depends  first  on  the  kind  of  archival  work  you  do  and 
whatever  technologies  you  bring  to  bear  on  the  materials,”  says  Kate 
Doyle,  senior  analyst  at  the  National  Security  Archive,  a  nonprofit 
research  group  in  Washington  advising  the  ombudsman’s  office. 

At  Doyle’s  suggestion,  Villagran  adopted  the  open-source  Martus 
document  management  application  developed  by  the  nonprofit 
Benetech  Initiative.  It  is  designed  specifically  to  help  human  rights 
groups  manage  and  analyze  information  they  collect.  Martus  is  a 
free  PC  application  with  built-in  encryption  that  is  configured  for 

automatically  backing  up  its 
data  to  remote  servers. 

As  the  24-hour  guard  at 
these  document  buildings 
suggests,  this  is  a  sensitive 
project,  with  alleged  perpe¬ 
trators  still  alive  in  Guate¬ 
mala  and  facing  prosecution. 

“The  Guatemalans  have 
understood  the  importance 
of  securing  their  information,” 
says  Tamy  Guberek,  Bene- 
tech’s  Latin  America  projects 
coordinator.  “They’re  very 
strict  on  data  security. 

They’ve  taken  a  huge  initia¬ 
tive  to  understand  the  tool 
and  get  the  most  out  of  it.” 

Hard  as  Villagran’s  team 
tries,  the  size  and  disorga¬ 
nized  state  of  the  archive  mean  the  work  to  scan  it  all  by  Decem¬ 
ber,  when  the  $2.5  million  budget  for  this  phase  of  the  project 
ends,  won’t  be  done.  The  team  prioritizes  the  scanning  of  files  with 
potential  human  rights  investigative  value  from  the  civil  war  period, 
but  the  archive  contains  other  records,  including  administrative  and 
bureaucratic  paperwork  spanning  about  a  century. 

Here  Benetech  is  also  helping  Villagran’s  team  by  taking  random 
samples  from  the  archive,  so  that  it  will  be  possible  to  reach  conclu¬ 
sions  about  its  composition,  such  as  what  percentage  might  contain 
information  related  to  human  rights  violations,  Guberek  says.  The 
technology  builds  “a  level  of  accountability  into  the  analysis  of  docu¬ 
ments  that  we  didn’t  have  before,”  Doyle  says.  -Juan  Carlos  Perez 


Breaches,  scams  and  other  recent 
incidents  of  note 


Sony  pays  $1.5  million  settlement  to  settle  rootkit  lawsuits.  The 

agreements  with  California  and  Texas,  announced  Dec.  19,  come  seven 
months  after  Sony  BMG  Music  Entertainment  settled  a  class-action 

lawsuit  related  to  its 
controversial  use  of  copy 
protection  software. 

The  software,  called 
Media  Max,  used  rootkit 
techniques  to  cloak 
itself  after  installation. 

It  shipped  to  consumers 
as  part  of  an  estimated 
15  million  CDs,  bundled 
with  artists  such  as  Frank 
Sinatra,  Celine  Dion  and 
Earl  Scruggs. 

Energy  Department  ousts  manager  of  nuclear  weapons  stockpile. 

Energy  Secretary  Samuel  Bodman  announced  on  Jan.  4  the  resigna¬ 
tion  of  Linton  Brooks,  administrator  of  the  National  Nuclear  Security 
Administration,  citing  management  and  security  issues.  Bodman  said 
a  security  breach  at  the  Los  Alamos  National  Laboratory  contributed 
to  his  asking  for  Brooks’  resignation.  A  recent  inspector  general  report 
criticized  the  lab’s  security  as  lax.  “I  do  not  believe  that  progress  in  cor¬ 
recting  these  issues  has  been  adequate,"  Bodman  said. 

Cheney  to  testify  in  court.  Vice  President  Dick  Cheney  was  scheduled 
to  take  the  witness  stand  for  the  defense  in  the  trial  of  his  former  chief 
of  staff,  The  New  York  Times  reported.  The  trial  of  I.  Lewis  “Scooter" 
Libby  Jr.,  on  perjury  and  obstruction  of  justice  charges  in  a  special 
prosecutor’s  investigation  into  the  leak  of  a  CIA  officer’s  identity,  was 
due  to  open  in  January.  Cheney  is  believed  to  be  the  first  sitting  vice 
president  to  testify  in  a  criminal  case. 

SHORTTAKES.  President  Bush  nominated  Mike  McConnell  to  be 
the  new  director  of  national  intelligence  on  Jan.  5.  McConnell  would 
succeed  John  D.  Negroponte,  who  Bush  wants  as  deputy  secretary  of 
state....  The  Department  of  Homeland  Security  dropped  plans  to  create 
a  biometrics  system  to  track  departures  of  foreign  visitors,  The  Wash¬ 
ington  Post  said....  A  group  of  government  and  business  leaders  urged 
President  Bush  to  create  a  national  director  of  port  and  cargo  security 
in  DHS,  Reuters  reported....  The  Financial  Services  Information  Sharing 
and  Analysis  Center  created  a  committee  to  focus  on  physical  security 
and  business  continuity....  A  statistical  analysis  showed  that  approxi¬ 
mately  1,400  outside  directors  of  460  public  companies  have  received 
opportunistically  timed  stock  option  grants,  according  to  a  study  by 
academics  at  Harvard,  Cornell  and  the  French  business  school  Insead. 


Tough 

Environment 

EVEN  THOUGH  Guatemala’s  36-year 
civil  war  ended  11  years  ago,  the 
country  continues  to  struggle  to 
establish  domestic  security.  An 
Amnesty  International  report  in  August 
2006  cited  cases  of  murder,  death 
threats  and  a  kidnapping  of  human 
rights  workers  or  their  close  relatives. 

A  rising  homicide  rate  in  2005, 
along  with  organized  crime,  youth 
gangs  and  clandestine  security  forces, 
combines  to  make  stemming  violence 
“a  national  priority  owing  to  its  effects 
on  public  security  and  the  creation  of 
a  state  of  public  alarm,”  the  United 
Nations  Commission  on  Human  Rights 
reported  last  year. 


14  www.csoonline.com  February  2007 


Oracle  Security 


Does  Your  DBA 

Know  Your  Financial  Results 

Before  Your  CEO? 


Oracle  Database  Vault 


>/  Support  separation  of  duties 
for  compliance 

>/  Keep  data  off-limits  from 
the  DBA 

Enforce  business  rules  on 
data  access 


oracle.com/database/dbvault 
or  call  1.800.0RACLE.1 


Copyright  ©  2006,  Oracle,  All  rights  reserved.  Oracle,  JD  Edwards,  PeopleSoft  and  Siebel  are  registered  trademarks  of  Oracle  Corporation  and/or  its  affiliates. 

Other  names  may  be  trademarks  of  their  respective  owners. 


Briefing 


IMAGE  SPAM-e  -mail  solicitations  that 
use  graphical  images  of  text— is  not  new. 
But  its  rising  sophistication  has  made 
much  of  it  invisible  to  spam  filters  so 
that  it  makes  up  one-third  of  all  spam, 
according  to  Doug  Bowers,  director  of 
antiabuse  engineering  at  Symantec. 
E-mail  traffic— 83  percent  of  which 
was  spam— rose  in  2006,  according  to 
antispam  company  BorderWare,  and 

researchers  there  expect 
image  spam  to  grow. 

The  conceit  of  image 
spam  is  that  people  see 
things  that  computers 
can’t.  To  fool  a  spam 
filter,  you  put  text  that  humans  under¬ 
stand  in  an  image  format;  the  computer 
sees  a  code,  not  letters  and  numbers. 

Some  spam  filters  try  to  recognize 
letters  inside  pictures  using  optical 


character  recognition  (OCR)  technology. 
OCR  was  originally  developed  so  that 
documents  that  were  scanned  into  com¬ 
puters  as  images  could  be  converted  to 
text  by  matching  the  unique  geometry 
of  fonts  to  a  dictionary  of  those  geomet¬ 
ries.  This  bold  A  has  a  certain  shape 
that  an  OCR  engine  can  identify. 

But  the  spammers  outsmart  OCR. 
They  use  unusual  fonts  or  put  noise  in 
the  picture  (added  color,  gaps  in  letters 
that  the  eye  overcomes  and  speckles 
of  color  on  the  page)  so  that  the  OCR 
engine  doesn't  see  letters.  The  latest 
image  spam  uses  tactics  like  word 
salads  (nonsensical  quotes  from  litera¬ 
ture)  as  well  as  animated  and  layered 
GIF  images  that  divide  a  message  into 
several  images  layered  on  top  of  each 
other.  Some  have  even  gone  old-school 
and  removed  links  to  click  on  and 
instead  instruct  users  to  type  a  link  into 
their  browser,  since  many  filters  refer  to 
blacklists  of  known  malicious  links. 

What’s  more,  the  image  spam  prob¬ 
lem  is  getting  mashed  up  with  botnets. 
Bots  distribute  most  spam,  but  the  bot¬ 
nets  are  also  being  programmed  to  take 
one  spam  message  and  alter  the  image 
(by  changing  the  size,  shape,  colors  and 
other  attributes)  so  that  it’s  still  read¬ 
able  but  looks  different  to  the  filters  that 
weed  out  identical  e-mails. 

Worst  of  all,  says  Andrew  Graydon, 
CTO  of  BorderWare,  image  spam  files 
are  twice  the  size  of  previous  spam 
messages,  a  network  bandwidth  and 


$PAM 


WHAT  TO  DO 

1  Invest  in  technology.  Vendors  are  working 
to  improve  image  spam  filtering.  It  costs 
money  for  software  and  infrastructure,  and  your 
choices  may  be  limited. 

2  Take  draconian  measures  with  e-mail 
policy.  Consider  blocking  all  attachments, 
for  example.  While  your  organization  could  take 
a  productivity  hit,  it  will  reduce  image  spam’s 
ability  to  reach  you. 

3  Lobby  for  antispam  policies  in  government 
and  industry.  Urge  the  government,  ISPs 
and  standards  bodies  to  employ  techniques, 
such  as  e-mail  postage,  that  will  reduce  spam. 
The  effort  takes  time  and  energy,  but  it  attacks 
the  problem  at  its  core. 

storage  headache  for  companies 
required  to  store  every  received  e-mail. 

For  years  now,  spam  and  spam  filter¬ 
ing  have  waged  a  back-and-forth  battle. 
Spam  beats  filters,  filters  improve. 
Repeat.  Image  spam  is  proving  harder 
to  filter  because  computers  simply 
aren’t  that  good  at  understanding 
what’s  in  an  image. 

Some  companies  have  started  to 
update  their  spam  filter  engines  to 
try  to  better  control  image  spam,  but 
companies  should  have  no  illusions 
about  such  reactive  measures  control¬ 
ling  the  problem.  New  fronts  in  the 
fight— new  spam  delivery  methods,  like 
Google  alert  feeds  and  audio  and  video 
formats— are  ahead. 

-Scott  Berinato 


NOT  SO  EMINENT 


A  RECENT  STUDY  commissioned  by  Infoblox  and  performed  by 
The  Measurement  Factory  suggests  that  incorrectly  configured 
DNS  servers  present  a  security  problem  waiting  to  happen. 

■  Estimated  number  of  DNS  servers:  9  million 

■  DNS  servers  that  allow  recursive  name  services  that 
relay  requests  to  other  name  servers:  more  than  50% 

■  Vulnerability  opened  by  recursive  operations: 

pharming  attacks 


DOMAINS 


■  DNS  servers  that  allow  zone  transfers,  which  enable 
duplication  of  DNS  data:  29% 

■  Vulnerability  opened  by  zone  transfers: 

denial  of  service  attacks 

■  DNS  servers  running  BIND  8,  an  older,  less  secure  and  less 
reliable  version  of  DNS  software  in  2006:  15% 

■  Those  running  BIND  8  in  2005:  20% 

More  on  DNS  security  at  “DNS:  Definitely  Not  Safe,"  Page  38. 


16  www.csoonline.com  February  2007 


WHAT  IF 

"YOU'RE  FIRED" 


WAS  ONLY  SAID  ON 


It  wouldn't  make  employees  angry  or  fill  their  minds  with  criminal  intent. 

And  businesses  might  not  need  the  support  of  security  experts  proficient  in  both  access  control 
and  video.  They  wouldn’t  want  a  security  controller  that  provides  the  highest  level  of  encryption 
on  the  market.  Wouldn’t  care  about  cameras  that  provide  images  so  impressive  they’re  used  to 
monitor  many  of  the  nation’s  busiest  highways.  Wouldn’t  need  to  get  critical  technical  support 
for  both  their  video  and  access  control  systems  with  a  single  call.  If  no  one  was  ever  fired, 
businesses  wouldn’t  need  the  most  comprehensive  pre-  and  post-sales  support  to  make  security 
reliable  and  easy.  Because  it  already  would  be.  It  all  starts  by  completing  the  short  questionnaire 
at  www.tycoforyourworld.com  or  by  calling  888-840-1438. 


SECURITY  FDR  YOUR  WORLD. 


AMERICAN " 
DYNAMICS 


Software  House® 


KANTECH 


Access  control  and  video  systems 


tUCO  \  Fire  & 

/  Security 


m  .4 


Briefing 


h. 


Workplace 
Violence 


EXPERTS  SAY  most  perpetrators  of  workplace 
violence  signal  that  they  have  a  problem.  Prevention 
means  staying  alert  to  those  signals,  encouraging 
employees  to  report  potential  problems  and  practic¬ 
ing  response  plans.  Share  these  pointers  with  your 
HR  and  management  teams. 

1  BUILD  A  RESPONSE  TEAM.  Recruit  a  core 
group  that  includes  HR,  security,  business  unit 
management  and,  if  possible,  a  trained  mediator  and 
a  crisis  counselor.  Practice  responses  to  simulated 
scenarios  for  each  person’s  role.  Specify  what  is 
tolerable  behavior  on  the  premises,  what  will  lead  to 


removal,  and  when  it  is  appropriate  to  dis¬ 
able  an  employee  and  call  the  authorities. 

2  KNOW  THE  LAW.  Your  rights  and 
responsibilities  in  a  crisis  vary 
depending  on  who  is  acting  violently.  Is 
the  person  an  employee  or  a  stranger? 

Has  he  threatened  someone,  or  is  he 
just  acting  erratically?  Bring  in  local  law 
enforcement  to  educate  your  team  on  the 
state  laws  that  will  govern  your  response. 

3  WATCH  FOR  SIGNS.  Make  sure 
employees  know  to  always  report  sus¬ 
picious  comments  or  behavior  to  the  CSO 
or  HR  (or  both)  no  matter  how  minimal  the  threat 
seems.  Watch  for  events  that 
can  trigger  violence:  being 
passed  over  for  a  promotion, 
marital  strife  and,  especially,  11.  [  I 
public  embarrassment. 

Educate  managers  on  how  to 
recognize  those  signals.  (One  tip:  Never  publicly 
insult  or  criticize  someone  who  is  behaving  badly.) 

4  DEFUSE  A  SIMMERING  CRISIS.  Separate  bick¬ 
ering  employees’  work  spaces.  Give  an  angry 
employee  time  off  to  cool  down.  Transfer  a  worker  to 
eliminate  a  strained  employee-manager  relationship. 
Take  performance  reviews  out  of  managers’  hands 
and  give  them  to  a  neutral  third  party.  Most  of  all, 
treat  people  with  respect. 


5  REMOVE  THE  SOURCE.  Evacuate  the  target  of 
a  violent  person's  anger.  Have  that  person  leave 
the  room  or  go  home.  You  might  also  arrange  to 
protect  him  until  the  crisis  is  diffused. 

6  USE  A  MEDIATOR.  A  neutral  person  can  help 
defuse  a  conflict.  Appoint  a  plainclothes  secu¬ 
rity  staffer  trained  in  mediation  and  crisis  counseling 
to  handle  the  conflict.  A  person  in  authority,  or  in 
uniform,  can  make  an  agitated  person  feel  cornered. 

7  ISOLATE  IN  A  NEUTRAL  OFFICE  LOCATION. 

This  separates  the  employee  from  the  source  of 
his  anger.  Choose  this  site  during  planning.  A  crisis 
team  member  should  be  ready  to  call  police. 

8  ESCORT  AND  WARN,  OR  DISABLE.  If 
the  person  turns  violent,  disable  him  by 
pinning  him  to  the  ground,  for  example.  Get 
police  onsite  as  soon  as  possible.  If  the 
person  appears  calm,  escort  him  off  the 
premises.  Inform  him  that  he  is  no  longer 
welcome  on  the  property. 

9  STAY  VIGILANT.  If  the  person  is  an  employee, 
cancel  access  cards  and  network  accounts. 
Inform  office  building  tenants  of  the  incident;  include 
a  picture  if  possible.  Brief  guards  and  surveillance 
staff  to  be  on  the  lookout  in  case  the  person  returns. 

-Scott  Berinato 


SOURCE:  "HOW  TO  PREPARE  FOR  WORKPLACE  VIOLENCE.” 
WWW.CSOONLINE.COM/READ/120W5 


DATA  DRAINS 

PRIVACY  On  Dec.  13,  2006,  when 
Boeing  acknowledged  a  laptop  with  files 
containing  the  private  data  of  382,000 
current  and  former  employees,  the  tally 
that  Privacy  Rights  Clearinghouse  has 
kept  since  early  2005  of  data  breaches 
made  public  reached  an  artificial  yet 
interesting  milestone:  100  million  records. 
In  2006  the  Privacy  Rights  Clearinghouse 
and  Attrition.org  cataloged  2  dozen 
breaches  with  more  than  100,000 
records  of  sensitive  information— and  that 
doesn’t  include  breaches  where  the  total 
is  unknown,  such  as  the  personal  data  of 
“potentially  millions  of  registered  voters” 
the  Ohio  secretary  of  state  sent  to  20 
political  campaigns  last  April.  Here  are 
the  five  biggest  breaches  of  2006. 


RECORDS 

POTENTIALLY 

BREACHED 

WHERE  AND 

WHEN  MADE 

PUBLIC 

WHAT  HAPPENED 

28.6  million 

Veterans  Affairs 
Department, 

May  22 

Laptop  stolen  from  employee's  home 
holds  veterans'  personal  data.  Computer 
recovered  and  FBI  forensics  says  no 
data  accessed;  veterans  agency  con¬ 
tracts  monitor  to  see  if  data  misused. 

2.6  million 

Circuit  City, 

Chase  Card 
Services,  Sept.  7 

Computer  data  tapes  containing  Circuit  City 
cardholders’  data  mistakenly  discarded. 

1.7  million 

Texas  Guaranteed 
Student  Loan 

Corp.,  May  30 

Worker  at  subcontractor  loses  equip¬ 
ment  containing  borrowers’  names 
and  Social  Security  numbers. 

1.35  million 

Chicago  Election 
Board,  Oct.  23 

Illinois  activists  report  they  hacked  into 
voter  database  where  names,  Social  Security 
numbers,  dates  of  birth  are  viewed. 

1  million 

American  Red  Employee  with  access  to  donors’  Social 

Cross,  St.  Louis  Security  numbers  allegedly  uses 

chapter,  May  24  three  records  for  ID  theft  scheme. 

SOURCES:  PRIVACY  RIGHTS  CLEARINGHOUSE.  ATTRITION.ORG 


18 


www.csoonline.com  February  2007 


PHOTO  TOP  BY  GETTYONE;  BOTTOM  BY  iSTOCKPHOTO.COM 


A  world  leader  in  digital  security 

! 


Secure,  convenient  solutions  for  identification, 
communications  and  transactions 


In  an  increasingly  connected  digital  world,  Gemalto  brings  security  and  freedom  to  our  everyday  lives.  Over  1  billion 
of  us  already  benefit  from  Gemalto's  secure  personal  platforms  and  services  by  allowing  us  to: 

Authenticate  online  and  pay  securely  from  anywhere  without  the  loss  of  identity 
Communicate,  access  and  share  content  via  mobile  devices  with  greater  confidence 
Identify  ourselves  for  access  to  corporate  networks,  buildings  and  transportation 

Combining  the  strengths  of  market  and  technology  leadership,  Axalto  and  Gemplus  merged  to  form  Gemalto, 
delivering  trusted,  convenient  services  to  customers  worldwide. 


888-343-5773 


www.gemalto.com 


X 


gemalto 


security  to  be  free 


Security  Counsel 


All  or  Nothing 

Why  full  disclosure— or  the  threat  of  it— forces  vendors 
to  patch  flaws  By  Bruce  Schneier 

FULL  DISCLOSURE-THE  PRACTICE  of  making  public 
the  details  of  security  vulnerabilities— is  a  damned  good  idea. 
Public  scrutiny  is  the  only  reliable  way  to  improve  security,  while 
secrecy  only  makes  us  less  secure. 

Unfortunately,  secrecy  sounds  like  a  good  idea.  Keeping  soft¬ 
ware  vulnerabilities  secret,  the  argument  goes,  keeps  them  out  of  the  hands  of 
the  hackers.  The  problem,  according  to  this  position,  is  less  the  vulnerability 
itself  and  more  the  information  about  the  vulnerability. 

But  that  assumes  that  hackers  can’t  discover  vulnerabilities  on  their  own, 
and  that  software  companies  will  spend  time  and  money  fixing  secret  vul¬ 
nerabilities.  Both  of  these  assumptions  are  false.  Hackers  have  proven  to  be 
quite  adept  at  discovering  secret  vulnerabilities,  and  full  disclosure  is  the  only 
reason  vendors  routinely  patch  their  systems. 

To  understand  why  the  second  assumption 
isn’t  true,  you  need  to  understand  the  underly¬ 
ing  economics.  To  a  software  company,  vulner¬ 
abilities  are  largely  an  externality.  That  is,  they 
affect  you— the  user— much  more  than  they 
affect  the  vendor.  A  smart  vendor  treats  vulner¬ 
abilities  less  as  a  software  problem  and  more 
as  a  PR  problem.  So  if  we,  the  user  community, 
want  software  vendors  to  patch  vulnerabilities, 
we  need  to  make  the  PR  problem  more  acute. 

Full  disclosure  does  this.  Before  full  disclo¬ 
sure  was  the  norm,  researchers  would  discover 
vulnerabilities  in  software  and  send  details  to  the 
software  companies— who  would  ignore  them, 
trusting  in  the  security  of  secrecy.  Some  would 
go  so  far  as  to  threaten  the  researchers  with  legal 
action  if  they  disclosed  the  vulnerabilities. 

Later  on,  researchers  announced  that  particular  vulnerabilities  existed  but 
did  not  publish  details.  Software  companies  would  then  call  the  vulnerabili¬ 
ties  “theoretical”  and  deny  that  they  actually  existed.  Of  course,  they  would 
still  ignore  the  problems  and  occasionally  threaten  the  researcher  with  legal 
action.  Then,  of  course,  some  hacker  would  create  an  exploit  using  the  vul¬ 
nerability— and  the  company  would  release  a  really  quick  patch,  apologize 
profusely  and  then  go  on  to  explain  that  the  whole  thing  was  entirely  the  fault 
of  the  evil,  vile  hackers. 

It  wasn’t  until  researchers  published  complete  details  of  the  vulnerabili¬ 
ties  that  the  software  companies  started  fixing  them.  The  software  companies 
hated  this.  They  received  bad  PR  every  time  a  vulnerability  was  made  public, 
and  the  only  way  to  get  some  good  PR  was  to  quickly  release  a  patch.  For  a 
large  company  like  Microsoft,  this  was  very  expensive. 


I  don’t  want  to  live 
in  a  world  where 
companies  can  sell  me 
software  they  know  is 
full  of  holes  or  where 
the  government  can 
implement  security 
measures  without 
accountability. 


So  a  bunch  of  software  companies  and  some  secu¬ 
rity  researchers  banded  together  and  invented  “respon¬ 
sible  disclosure”  [Editor’s  note:  See  “The  Chilling 
Effect,”  www.csoonline.com/read/010107]-  The  basic 
idea  was  that  the  threat  of  publishing  the  vulnerability 
is  almost  as  good  as  actually  publishing  it.  A  respon¬ 
sible  researcher  would  quietly  give  the  software  vendor 
a  head  start  on  patching  its  software  before  releasing 
the  vulnerability  to  the  public. 

This  was  a  good  idea— and  these  days  it’s  normal 
procedure— but  one  that  was  only  possible  because 
full  disclosure  was  the  norm.  And  it  only  remains  a 
good  idea  as  long  as  full  disclosure  is  the  threat. 

The  moral  here  doesn’t  apply  just  to  software;  it’s 
very  general.  Public  scrutiny  is  how  security  improves, 
whether  we’re  talking  about  software  or  airport  secu¬ 
rity  or  government  counterterrorism  measures.  Yes, 
there  are  trade-offs.  Full  disclosure  means  that  the 
bad  guys  learn  about  the  vulnerability  at  the  same 
time  as  the  rest  of  us— unless,  of  course,  they  knew 
about  it  beforehand— but  most  of  the  time  the  ben¬ 
efits  far  outweigh  the  disadvantages. 

Secrecy  prevents  people  from 
accurately  assessing  their  own 
risk.  Secrecy  precludes  public 
debate  about  security  and  inhib¬ 
its  security  education  that  leads 
to  improvements.  Secrecy  doesn’t 
improve  security,  it  stifles  it. 

I’d  rather  have  as  much 
information  as  I  can  to  make  an 
informed  decision  about  secu¬ 
rity,  whether  it’s  a  buying  deci¬ 
sion  about  a  software  product  or 
an  election  decision  about  two 
political  parties.  I’d  rather  have 
the  information  I  need  to  pres¬ 
sure  vendors  to  improve  security. 

I  don’t  want  to  live  in  a  world  where  companies  can 
sell  me  software  they  know  is  full  of  holes  or  where 
the  government  can  implement  security  measures 
without  accountability.  I  much  prefer  a  world  where  I 
have  all  the  information  I  need  to  assess  and  protect 
my  own  security.  ■ 


Bruce  Schneier  is  founder  and  CTO  of  Counterpane  Internet  Security. 
Send  feedback  to  csoletters@cxo.com. 


What’s  Your  Counsel? 

HAVE  SOME  advice  for  your  peers?  Pitch  your 
topic  to  Editor  Derek  Slater  at  dslater@cxo.com. 


20  www.csoonline.com  February  2007 


LURHQ  and  SecureWorks  have  merged  to  become  the  most  effective  managed  security  services  provider. 
Get  more  info  at:  http//www.secureworks.com  I  877.905.6661  I  info@secureworks.com 


Security  Device  Management  I  Enterprise  Security  Monitoring  I  Security  Information  and  Event  Management 
Vulnerability  Scanning  I  Threat  Intelligence  I  Professional  Services  I  E-mail  Encryption 


Expertise  is  ten  years  of  continued  focus. 

Expertise  is  performing  the  service  right  the  first  time. 

We  do  more  than  meet  objectives.  We  exceed  expectations. 


Machine  Shop 


The  Book  on 


up  an  extra  two  or  three  servers  on  Mondays  and 
shut  them  down  on  Friday  afternoons.  By  forcing  the 
customer  to  address  the  issue  of  backup  and  scaling 
directly,  EC2  lowers  costs  for  both  Amazon  and  the 
customer  alike. 


Amazon 


Can  you  trust  the  giant  retailer— or  any 
Web-based  service— with  your  information  storage 
and  computing  tasks?  By  Simson  Garfinkel 


AMAZON.COM  WANTS  TO  sell  your  organization  a  whole 
lot  more  than  books,  music  and  electronics.  Amazon,  the 
Seattle-based  e-commerce  giant,  wants  to  rent  your  organiza¬ 
tion  storage  space  for  your  mission-critical  data  and  virtual 
machines  for  doing  your  information  processing.  The  offerings 
are  enterprise-quality,  and  the  prices  are  astonishingly  low.  But  is  it  safe  to 
trust  your  business  to  Amazon’s  infrastructure? 

These  days  it’s  common  for  businesses  to  host  their  websites  and  e-com¬ 
merce  systems  at  colocation  facilities.  And  increasingly  much  of  this  equip¬ 
ment  is  outsourced  as  well.  Although  many  businesses  still 
like  to  buy  their  own  servers,  disk  arrays,  load  balancers 
and  firewalls,  it’s  much  more  economical  to  rent  a  few 
dedicated  servers  at  a  service  provider  and  let  somebody 
else  worry  about  the  plumbing.  ISPs  get  economies  of  scale 
by  managing  hundreds  or  thousands  of  identical  machines, 
while  the  customer  can  concentrate  on  building  a  high- 
quality  website. 


Elastic  Computing 

Amazon’s  new  Elastic  Compute  Cloud  (EC2)  Web 
service  takes  this  idea  of  hosted  servers  to  a  new 
level.  Instead  of  renting  physical  servers  on  a 
month-by-month  basis,  Amazon  is  now  rent¬ 
ing  virtual  computers  by  the  hour— 10  cents  an 
hour,  to  be  exact.  That  10  cents  gets  you  the 
equivalent  of  a  1.7GHz  Xenon  processor  with 
1.25GB  of  RAM  and  160GB  of  hard  drives. 

Bandwidth  is  250Mbps,  at  the  cost  of  20 
cents  per  gigabyte  transferred. 

One  reason  that  EC2  is  so  cheap  is  that 
the  virtual  servers  can  crash  at  any  time  and 
they  aren’t  backed  up.  If  you  want  to  build 
a  reliable  system,  you  need  to  do  it  yourself  by 
renting  multiple  servers  and  fashioning  them 
into  a  redundant  cluster.  This  approach  provides 
not  just  redundancy  but  scalability.  For  example, 
you  might  build  a  little  e-commerce  website  with  two  Web 
servers  and  two  database  engines.  If  you  notice  that  your  site 
is  more  popular  on  weekdays  than  on  weekends,  you  might  bring 


or 


-w 


Cr 


< 


Simple  Storage 

Applications  that  need  more  than  160GB  of  storage 
should  use  Amazon’s  Simple  Storage  Service  (S3). 
With  S3,  data  is  stored  redundantly  on  multiple  com¬ 
puters  at  multiple  data  centers  around  the  world. 
Information  can  be  stored  with  HTTP  “PUT”  com¬ 
mands  and  downloaded  with  HTTP  “GET”.  The  cost 
to  store  data  is  15  cents  per  gigabyte  per  month,  with 
an  added  bandwidth  cost  of  20  cents  for  every  giga¬ 
byte  of  data  that’s  uploaded  or  downloaded.  Fortu¬ 
nately,  there  is  no  cost  to  move  data  between  EC2  and 
S3.  According  to  Amazon,  you  can  store  an  “unlim¬ 
ited”  amount  of  information  with  S3,  which  basically 
means  that  Amazon  can  buy  disks  faster  than  your 
organization  can  fill  them. 

Lately  I’ve  been  doing  a  lot  of  research  in  computer 
forensics.  My  database  is  roughly  1,000GB  in  size, 
and  my  last  experiment  took  four  weeks  of  com¬ 
puter  time  to  execute  on  a  single  computer.  With 
Amazon’s  Web  Services  I  can  store  my  data  in  mul¬ 
tiple  data  centers  for  just  $150  a  month.  Instead 
of  spending  four  weeks  to  run  an  experiment,  I 
can  instantiate  28  virtual  machines  and  run 
the  experiment  in  a  day  for  $67.20.  Or  I 
can  instantiate  168  machines  and  run 
the  experiment  in  four  hours  for  that 
same  $67.20. 

But  before  you  turn  your 
business  over  to  Amazon, 
there  are  a  lot  of  questions 
that  you  need  to  consider. 
Are  EC2  and  S3  just  toys, 
or  are  they  reliable  enough 


kP 


for  production  systems? 
What  is  the  chance  that 
an  EC2  virtual  machine 
will  be  taken  over  or  shut 
down  by  a  hacker?  How 
secure  is  the  information 
stored  in  S3— who  can 
access  it,  and  who  can 
change  it?  And  what  is 
Amazon’s  commitment 
to  these  services?  Most  of 
these  questions,  it  turns  out, 
have  something  to  do  with  security. 


22  www.csoonline.com  February  2007 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


©2006  Sharp  Corporation 


If  you  don't  take  control  of  your  data, 

someone  else  will. 


INTRODUCING  THE  SHARP  MX-SERIES.  These  color  MFPs  help  prevent 
sensitive  information  from  falling  into  the  wrong  hands  by  providing  two  layers  of  advanced 
security.  First  they  encrypt  digital  information,  then  they  overwrite  the  disk.  It's  no  wonder 
Sharp  won  BERTL's  Best  Security  Solutions  Suite  for  2005,  the  BERTL  5-Star  Exceptional 
rating  for  product  usability  and  the  BLI  award  for  "IT  Friendliness."  Be  secure.  Be  Sharp. 
Visit  sharpusa.com/security 


ENERGY  STAR 


As  an  ENERGY  STAR* 
Partner,  Sharp  has 
determined  that  this 
product  meets  the 
ENERGY  STAR*  guidelines 
lor  energy  efficiency. 


Birr  Security  Solution 


MX-SERIES 


I’ve  been  working  with  EC2  and  S3 
daily  and  think  that  the  service  is  reliable 
enough  for  me  to  start  on  the  process  of 
moving  much  of  my  research  from  com¬ 
puters  that  I  own  to  virtual  machines  that 
I’m  renting  from  Amazon  on  an  as-needed 
basis.  But  I  don’t  think  that  EC2  and  S3 
are  yet  providing  what’s  required  to  ser¬ 
vice  corporate  customers. 

To  use  EC2  you  create  a  disk  image  of  a 


Linux  server.  This  image  is  digitally  signed, 
encrypted,  split  into  pieces  and  stored  in 
S3  using  tools  that  Amazon  provides.  You 
can  instantiate  a  virtual  machine  with  a 
remote  procedure  call  to  the  Amazon  Web 
Services  (AWS).  Ten  minutes  later  the 
machine  is  running;  another  remote  pro¬ 
cedure  call  will  give  you  its  IP  address. 

Keys  to  Security 

There  are  two  complementary  systems  for 
access  control.  First,  since  you  create  the 
image  for  the  virtual  machine,  you  can 
determine  the  accounts  that  it  will  have 
when  it  starts  up.  Amazon  provides  tools 
that  make  it  easy  to  create  a  public/private 
key  pair,  restricting  the  machine  so  that  it 
can  be  accessed  only  by  someone  with  the 
matching  private  key.  The  second  access 
control  is  the  EC2  firewall,  which  runs  in 
Amazon’s  network.  Using  your  private  key, 
you  can  send  digitally  signed  messages  to 
the  firewall,  telling  it  to  open  up  particu¬ 
lar  ports  between  your  virtual  machine 
and  the  rest  of  the  Internet.  Digital  signa¬ 
tures  are  also  used  to  sign  commands  sent 
to  the  S3  storage  system,  although  these 
signatures  can  be  written  with  an  HMAC 
algorithm  (a  type  of  message  authentica¬ 
tion  code),  making  them  very  fast  indeed. 


Despite  this  use  of  public  key  cryptog¬ 
raphy,  authorization  is  one  of  the  weakest 
parts  of  the  system.  To  use  EC2  or  S3  you 
need  to  create  an  Amazon  Web  Services 
account,  which  is  just  a  standard  Amazon 
account  that  has  been  “enabled”  for  Web 
services.  You  then  log  in  to  the  AWS  web¬ 
site  and  download  a  public  key  that’s  used 
to  identify  yourself  to  the  AWS  system, 
and  a  private  key  that’s  used  by  your  code 


to  digitally  sign  all  requests.  AWS  uses 
HMAC  for  its  signatures,  so  writing  them 
is  very  fast. 

Unfortunately,  while  the  keys  are  long 
enough  to  be  cryptographically  secure, 
they  are  fundamentally  only  as  strong  as 
your  Amazon  password  that’s  used  to  gen¬ 
erate  them.  Organizations  that  are  serious 
about  AWS  should  create  AWS  accounts 
that  aren’t  used  for  anything  else  and  pro¬ 
tect  them  with  very  long  passwords.  But 
that’s  not  good  enough,  because  Amazon 
allows  passwords  to  be  reset  by  clicking 
a  link  that  says  “Forgot  your  password? 
Click  here.”  In  practice,  anybody  who  can 
receive  mail  at  the  e-mail  address  regis¬ 
tered  for  an  AWS  account  can  comman¬ 
deer  all  of  the  AWS  services  associated 
with  that  account.  Amazon  will  have  to 
address  this  failing  before  a  business  can 
make  a  serious  commitment  to  AWS. 

Privacy  of  stored  data  is  another  con¬ 
cern.  The  S3  system  stores  information 
in  “buckets.”  Each  S3  bucket  can  have  an 
access  control  list,  allowing  its  contents  to 
be  public  or  restricted  to  particular  Ama¬ 
zon  IDs.  Fundamentally,  though,  if  you  are 
storing  information  in  S3  that  isn’t  meant 
to  be  public,  you  should  use  encryption 
to  enforce  that  policy.  And  since  there  is 


no  significant  overhead  for  using  a  strong 
encryption  algorithm  like  AES-256,  there 
is  no  good  reason  not  to  use  encryption  to 
protect  private  information  stored  in  S3. 
Applications  that  connect  to  S3  can  also 
use  SSL,  although  this  probably  isn’t  nec¬ 
essary  for  applications  running  on  EC2. 

The  second  problem  with  AWS  is  the 
lack  of  a  service-level  agreement  (SLA)— 
a  formal  commitment  in  which  Amazon 
pledges  that  data  stored  in  S3  won’t  be 
accidentally  deleted,  that  the  network  will 
remain  available  and  will  have  good  band¬ 
width. 

“We  work  extremely  hard  to  avoid  data 
loss  due  to  an  error  at  Amazon;  our  soft¬ 
ware  is  built  to  avoid  single  points  of  fail¬ 
ure.  However,  we  don’t  maintain  backups 
that  we  can  restore  from,”  said  Andrew 
Herdener,  an  Amazon  representative,  in 
response  to  a  question  I  sent  him  by  e-mail. 
“This  is  a  business  that  we’re  committed  to, 
and  they  are  services  that  Amazon  itself 
depends  on  for  its  own  business.” 

If  I  were  developing  an  e-commerce 
site  that  depended  on  AWS,  I  would  want 
an  SLA  that  clearly  stated  Amazon’s  long¬ 
term  commitment  to  these  offerings.  I 
would  also  want  a  provision  that  required 
Amazon  to  give  me  written  notice  should 
it  plan  to  terminate  the  service,  as  well 
as  provisions  for  an  orderly  transition  to 
another  provider. 

Because  Amazon  won’t  make  any 
of  those  commitments,  I’m  living  with 
the  risk.  I  can  mitigate  that  risk  a  bit  by 
keeping  a  backup  of  everything  I  store  at 
Amazon  either  at  my  office  or  at  another 
storage  provider. 

Businesses  that  store  their  own  data 
and  provide  their  own  computational 
resources  also  have  issues  with  the  reli¬ 
ability  of  their  storage  and  the  resiliency  of 
their  internal  service  offerings,  of  course. 
Outsourced  services  like  EC2  and  S3  force 
an  organization  to  confront  these  risks 
directly,  rather  than  sweeping  them  under 
the  carpet.  ■ 


Simson  Garfinkel,  CISSP,  is  researching  computer 
forensics  and  human  thought  at  Harvard  University. 
Send  feedback  to  machineshop@cxo.com. 


A  problem  is  the  lack  of  a  service-level 
agreement— a  formal  commitment  in 
which  Amazon  pledges  that  data  won’t 
be  accidentally  deleted,  that  the  network 
will  remain  available  and  will  have  good 
bandwidth. 


24  www.csoonline.com  February  2007 


\ 

■iii 

m 

1 

j  -  •-  *  ■nngr 

1  i''i  ffni  i  Hid 

SU® 

y~^==r. 

~  *  y  - 

mu 

_ 

T| 

I  I 


The  new  iCLASS  readers: 


§nfe&' 


■ 

*'  *,  "■ .  •  1 


Price  ►  same  as  Prox. 


hRsEsPSs^;'*?^ ;. ,  ■.'••, 

:ff|  Installation  t  same  as  Prox. 

*£n3g&&*.uX--  »■>*//  ■  * 

-  .V/v  •• 

'  a.  •  •  ■ 

Power  Requirement  ►  same  as  Prox. 


Security  ^  same  as  Alcatraz. 


J 


1  2 
4  5 

r~  r 

Z  8 

r~  r 

*  o 

r~  r 


hidcorp.com 


iCLASS  readers  offer  enhanced  security  with 
all  the  user-friendly  features  of  proximity. 

The  new  iCLASS  readers  are  virtually  identical  to  proximity  - 
in  power  requirement,  ease  of  use  and  installation,  even  price. 
The  only  difference  is  that  iCLASS  offers  enhanced  security 
through  encryption  and  mutual  authentication,  and  it’s  read/write 
capabilities  allow  you  to  add  functionality  such  as  biometrics, 
time  and  attendance,  PC  log-on  security  and  more.  Plus  iCLASS 
comes  from  HID.  So  there’s  a  lot  to  feel  secure  about. 


security 


' 


COPPER  COP: 

For  utilities,  metal  theft 
“is  more  pressing  than 
terrorism  or  anything  else. 
Everyone  is  experiencing 
it,”  says  Michael  Lynch, 
CSO  of  DTE  Energy. 


•'  S  -  - 


Stlljilll 


I 


Metal  has  never  been  more  valuable,  or 
more  stolen.  Inside  the  metal  theft  epidemic 
and  CSOs’  struggle  to  contain  the  problem. 

B7  SCOTT  BERINATO 

In  a  decaying  corner  of  Detroit,  behind  a  box  store,  along  a  trash-strewn 
scrape  of  urban  ruins,  surrounded  by  trees  that  are  either  dead  or  sag 
like  they  wish  they  Were,  thick  black  smoke  rises  against  a  gray  sky.  It’s 
Halloween  afternoon,  and  Michael  Lynch,  CSO  of  the  utility  DTE  Energy, 
in  shined  black  shoes,  a  dark  suit  offset  by  a  crisp  blue  shirt  and  a  bright, 
patterned  tie,  is  cutting  through  the  blighted  patch,  following  his  eyes,  and 
his  nose,  toward  the  smoke. 

Metal  thieves,  Lynch  knows,  burn  off  the  insulation  that  sheathes  the 
copper  wires  that  carry  his  company’s  product— electricity— because  often 
that’s  how  scrap  yards  want  to  buy  it,  without  insulation.  But  also,  that’s 
where  the  name  of  the  company  the  wire  was  stolen  from  would  be.  At  any 
rate,  the  sheathing  is  petroleum-based.  Burning  it  creates  an  unmistak¬ 
able  cloud  that  smells  like  a  car  accident.  Police  have  made  major  busts 
when  they  happened  to  see  or  smell  this  smoke. 

Recalling  the  events  of  that  day,  Lynch  says  he  isn’t  setting  out  to  track 
down  a  metal  theft.  He  is  out  in  the  field  with  one  of  his  investigators 
looking  for  examples  of  torn-down  power  lines  for  a  local  TV  news  crew 
that  wants  to  do  a  story  on  metal  theft.  But  while  Lynch  is  in  the  field,  a 
DTE  customer  says  that  thieves  have  stolen  wires  off  the 
poles  in  front  of  his  house,  cutting  off  the  power.  The 
customer  adds  that  he  thinks  the  thieves  are  burning 
the  wire  nearby,  and  he  points  the  way. 

The  intelligence  is  sound.  Lynch  finds  a  column  of 


IN  THIS  STORY  Global  forces 
driving  metal  theft  ■  Local 
forces  driving  theft  ;*  How 
CSOs  attack  the  problem 


February  2007  www.csoonline.com  <  27 


PHOTOS  BY  RACHEL  HOLLAND 


Metal  Theft 


flames  six  feet  high  rising  from  a  dilapi¬ 
dated  cement  slab.  Tending  the  fire  is  a  thin 
man  in  brown  pants,  a  hooded  sweatshirt 
the  color  of  shiraz  and  a  gray  baseball  cap 
pulled  low  over  his  goateed  face.  Lynch  is 
not  normally  in  the  field,  so  he  doesn’t  think 
about  the  danger  of  confront¬ 
ing  a  man  who  could  be  high  or 
armed,  or  both.  Lynch’s  arrival 
(and  probably  his  wardrobe— this 
was  no  cop)  startles  the  thin  man, 
but  luckily  he  shows  few  signs  of 
aggression.  Lynch  begins  to  ask 
questions  politely.  Where d  the 
wire  come  from?  How  much  do 
you  have?  Where  is  the  rest  of  it? 

Where  do  you  sell  it?  How  much 
do  you  make? 

As  Lynch  receives  answers  that 
range  from  useful  to  obfuscatory, 
he  hears  a  rushing  noise  below  his 
heels.  He  looks  down  and  is  startled  to  spot  a 
black  hose  shooting  water  along  the  ground. 
Lynch  grabs  the  hose  and  aims  it  at  the  fire. 

Later,  Lynch  would  put  it  all  together. 
What  he  had  found  was  a  regular  burn  site 
for  metal  thieves.  In  fact,  it  is  the  perfect 
burn  site,  with  a  concrete  surface  to  burn  on 
and  available  running  water  to  control  and 
put  out  fires.  Also,  the  site  is  surrounded  by 
metal  to  steal.  A  nearby  communications 
tower  had  already  been  looted  so  much  that, 
at  one  point,  911  service  was  knocked  out. 
Plus,  there  is  a  scrap  yard  nearby  where  the 
stolen  metal  can  be  sold.  If  the  yard  refuses, 
other  buyers  are  available  close  by.  For  50 
cents  on  the  dollar,  Lynch  says,  you  can  walk 
up  to  them  with  a  grocery  cart  full  of  any 
metal,  without  ID,  and  sell  it  no  questions 
asked.  The  entire  supply  side  of  the  metal 
theft  economy  is  within  walking  distance  of 
the  fire  Lynch  is  dousing. 

Soon  the  fire’s  gone.  With  only  pungent 
gray  smoke  crawling  away  now,  Lynch 
directs  the  column  of  water  spilling  from 
the  hose  to  land  on  a  tangle  of  red  wires 
that,  from  a  distance,  look  like  the  entrails 
of  roadkill.  Even  without  sheathing  to  posi¬ 
tively  identify  them,  he  thinks  they’re  DTE 
wires.  “It’s  like  knowing  you’re  looking  at  a 
Chevy,”  Lynch  says,  “even  though  someone 
took  the  emblems  off.”  An  investigator  who 


is  with  Lynch  calls  the  police  and  then  snaps 
a  photograph  of  the  improbable  scene;  the 
thin  man  in  dark  clothes,  less  than  a  yard 
away  from  Lynch,  protests  angrily.  Lynch, 
in  his  smart  suit,  his  preternaturally  blue 
shirt,  is  wielding  the  hose  and  saying  some- 


existing  houses.  In  Detroit,  The  Kronk  Gym, 
a  legendary  boxing  basement  where  heavy¬ 
weight  champ  Tommy  Hearns  once  sparred, 
was  already  on  the  ropes  financially;  when 
thieves  stripped  it  of  all  its  copper  pipes, 
The  Kronk  closed  for  good.  A  statue  known 
as  a  Battle  Cross,  commemo¬ 
rating  the  war  on  terrorism, 
was  snatched  from  its  stand  in 
Yakima,  Wash.  “Reclining  Fig¬ 
ure,”  a  2.1-ton  sculpture  by  artist 
Henry  Moore,  was  stolen  from 
a  museum  in  England.  At  auc¬ 


BURN  SITES  IN  DETROIT: 
Thieves  take  stolen  wire  to 
places  where  they  can  burn 
it  to  remove  the  insulation. 


tion,  the  sculpture  was  worth  $5  million.  As 
scrap  metal,  it  would  fetch  maybe  $10,000. 
Thieves  with  a  chain  and  a  truck  will  pull 
down  municipal  light  poles  to  get  the  cop¬ 
per  wire  out.  They’ll  get  a  chain  saw  or  a 
Sawzall  or  an  ax,  and  cut  down  a  utility 
pole.  If  they  don’t  have  any  of  those,  they’ll 
climb  the  pole.  In  any  of  these  cases,  they’ll 
leave  behind  $5,000  of  damage  to  extract 
a  few  hundred  dollars’  worth  of  copper.  No 
metal  is  sacred:  Cemetery  memorials  are 
snatched,  and  so  are  the  roofs  of  churches. 
Wherever  there  is  metal— copper  in  par¬ 
ticular  but  also  aluminum,  zinc,  nickel  and 
bronze— there  is  someone  stealing  metal  to 
sell  it  for  a  little  cash  to  support  themselves 
or  their  drug  habit.  For  CSOs  who  have  any 
inventory  of  metal,  it  is  the  most  significant 
physical  security  concern  today. 


thing  back,  but  he’s  not  looking 
at  the  thin  man.  He’s  looking 
at  the  metal. 

All  CSOs  should  be  looking 
at  their  metal,  devising  ways 
to  protect  it  and  contributing 
to  the  networks  that  are  being 
developed  to  disrupt  the  black 
market  for  metal.  The  metal 
theft  problem  affects  not  just 
utilities  but  all  companies  that 
have  infrastructure,  which  is 
just  about  all  companies.  If  you  have  a  metal 
fence,  it’s  at  risk  of  being  stolen.  If  you  have 
construction  sites,  metal  will  be  taken  from 
them.  If  you  have  unguarded  rural  outposts, 
they  will  be  raided.  No  metal  is  safe. 


The  Laws  of  Domestic  Supply 
and  Chinese  Demand 

China  needs  metal,  and  junkies  need  crys¬ 
tal  meth.  Where  these  two  facts  intersect, 
there’s  metal  theft. 

These  two  facts  intersect  every  day, 
everywhere.  Thieves  are  risking  their  lives 
and  others’  for  metal.  Thieves  yank  down 
live  power  lines  and  remove  grounding 
wires  from  electrical  substations,  rail  lines 
and  wind  farms.  They  snatch  wire  and 
plumbing  from  new  housing  and  business 
park  construction  sites,  or  sometimes  from 


28  www.csoonline.com  February  2007 


It’s  basic  economics:  Demand  for  metal 
is  long  and  supply  is  short,  making  semi¬ 
precious  metals  precious.  Precious  to  China, 
where  a  growing  nation  will  pay  high  prices 
for  it,  and  precious  to  addicts  who  need  a 
hit.  Investors  can’t  get  enough  commodity 
metal,  and  neither  can  the  impoverished 
looking  for  a  quick  buck. 

How  Copper  Became  Trendy 

At  5:10  a.m.  on  Oct.  9,  2003,  in  West  Papua, 
Indonesia,  one  of  the  walls  of  the  Grasberg 
copper  and  gold  mine  collapsed.  Two  mil¬ 
lion  three  hundred  thousand  tons  of  rock 
rushed  down  into  the  open  pit,  killing  eight 
and  injuring  five.  Copper  prices  spiked. 

The  prices  had  already  been  rising  for 
a  few  months.  It  was  June  2003  when 
copper  and  other  metals  finally  started  to 
show  signs  of  life  after  falling  to  historic 
lows  in  early  2002,  when  copper  dropped 
to  65  cents  a  pound  on  the  London  Met¬ 
als  Exchange.  But  by  mid-2003,  investors 
had  started  talking  about  a  place  they  called 


“emerging  Asia,”  which  includes  China,  India 
and  other  countries.  Most  of  the  focus  is  on 
China,  with  its  20  percent  economic  growth 
rate,  says  Patricia  Mohr,  an  economist  spe¬ 
cializing  in  metals  at  Scotiabank.  “Invest¬ 
ment  funds  began  to  recognize  that  China 
was  emerging  as  a  major  force,”  she  says. 

Demand  for  metal  was  picking  up  in 
Europe  and  America  too,  as  new  construc¬ 
tion  continued  and  the  military  machine 
warmed  up  for  a  coming  war  in  Iraq.  After 
years  in  the  doldrums,  the  four  key  base 
metals— aluminum,  copper,  nickel  and 
zinc— became  hot  commodities,  with  the 
bellwether  red  metal,  copper,  especially  hot. 
After  the  Grasberg  landslide,  copper  quickly 
passed  $1  per  pound. 

At  the  time,  Michael  Assante  was  CSO  at 
American  Electric  Power.  He  tracked  prices 
weekly  and  briefed  executives  quarterly  on 
metal  theft  incidents  and  total  loss.  “We 
could  map  the  rise  in  prices  to  increased 
security  incidents.  For  the  most  part  it  was 
a  direct  correlation,”  he  says. 


Prices  climbed  steadily.  Then  workers 
went  on  strike  at  the  El  Abra  mine  in  Chile 
in  late  2004,  and  by  2005,  prices  passed 
$2  a  pound.  But  no  matter  how  high  metal 
prices  climbed,  it  seemed,  China  kept 
buying.  China  became  the  world’s  biggest 
consumer  of  the  four  key  base  metals,  by 
a  wide  margin,  virtually  overnight,  Mohr 
says.  Money  flowed  toward  metal,  copper 
in  particular.  Investors  who  once  put  only 
precious  metals  in  their  portfolio  were  add¬ 
ing  semiprecious  metals  and  creating  index 
funds  out  of  commodities  once  considered 
too  volatile.  Metals  became  a  way  to  diver¬ 
sity  a  portfolio,  since  trends  in  commodities 
don’t  necessarily  follow  the  stock  market. 

Copper  hit  $3  a  pound  by  early  2006. 
China  kept  buying.  The  mines  and  the 
mills  had  basically  taken  the  ’90s  off  from 
creating  new  mining  and  smelting  capac¬ 
ity  because  prices  were  so  low  for  so  long 
and  then  flagged  after  9/11.  Without  new 
capacity,  the  world  entered  a  “deficit  con¬ 
dition”  where  copper  production  fell  below 
consumption. 

“We’ve  had  a  100  percent  increase  in 
metal  thefts  year  over  year,”  says  Mike  Dunn, 
manager  of  physical  security  at  American 
Electric  Power,  based  in  Ohio  and  serving 
electricity  in  10  Midwestern  and  Southern 
states.  At  both  meetings  of  the  Edison  Elec¬ 
trical  Institute  trade  association  last  year, 
Dunn  says,  all  anyone  could  talk  about  was 
metal  theft.  In  Tucson,  Ariz.,  metal  theft 
is  up  150  percent.  In  Dallas  in  2006  there 
were  1,500  cases  of  metal  theft  reported 
through  August,  according  to  a  Dallas 
Observer  article  quoting  police.  Last  spring, 
police  in  Hawaii  opened  15  separate  metal 
theft  investigations  in  two  months.  Lynch 
at  DTE  in  Detroit  adds,  “We  had  one  facil¬ 
ity  that  had  38  [incidents  of  breaking  and 
entering]  in  eight  months.”  Thieves  keep 
coming  back  to  the  same  sites,  often  rural 
ones  where  it  will  take  police  a  long  time 
to  respond.  “At  these  prices,  it’s  worse  than 
ever  before,”  says  Theo  Lane,  a  senior  coor¬ 
dinator  with  Duke  Energy,  which  provides 
electricity  in  the  Carolinas.  “We’ve  seen 
cases  where  thieves  will  sell  their  stolen 
metal  to  a  scrap  yard,  then  steal  it  from  that 
yard  to  sell  it  again  someplace  else.”  Assante 


Lynch  asked  the  man: 

Where’d  this  come  from? 

How  much  wire  is  there? 

Where  is  the  rest  of  it? 


PHOTOS  LEFT  BY  RACHEL  HOLLAND;  RIGHT  COURTESY  OF  DTE  ENERGY 


February  2007  www.csoonline.com  29 


Metal  Theft 


/Z/Z 


I  had  two  fatalities  in  a  30-day  period. 
Both  were  cutting  wires  off  tne  pole. 

I  think  the  first  guy  thought  he  was 
cutting  a  de-energized  line.  The  second 
one  is  a  real  mystery,  but  who  knows? 

We  don’t  have  a  witness  left.’ 


calls  metal  theft  “a  plague.” 

On  May  12,  2006,  copper  hit  $3.99 
per  pound,  nearly  $8,800  per  metric  ton, 
a  figure  that  causes  Mohr  to  say,  simply, 
“Extraordinary!” 

China  finally  balked.  Some  companies 
there  felt  prices  were  too  high.  Many  relied 
on  metal  inventory  acquired  for  just  this  sit¬ 
uation.  At  the  same  time  that  China  started 
refusing  to  pay  $4  per  pound,  construction 
in  the  United  States  slowed  as  the  housing 
market  softened.  The  Federal  Reserve  held 
steady  on  interest  rates,  and  Mohr  says  that 
investors  are  speculating  rates  might  start 
dropping  again  in  2007.  Investors  started 
cashing  out.  Copper  prices  started  to  fall, 
and  no  one  was  sure  how  fast  and  how  hard 
they  would  come  down. 

Not  too  fast  and  not  too  hard,  it  turns  out. 
Seven  months  after  the  $3.99  peak,  copper 
remains  above  $3  per  pound  (at  $3.03  as 
of  Jan.  8),  and  Mohr  says  that  the  growth 
in  copper  prices  has  slowed,  but  zinc  and 
nickel  remain  at  record  highs.  China,  Mohr 
says,  is  not  going  away.  She  believes  copper 
will  be  lower  in  2007,  but  adds,  “even  if  cop¬ 
per  falls  to,  say,  $2.50  per  pound,  that’s  still 
historically  very  lucrative.” 

Even  if  prices  drop,  metal  theft  will 
remain  historically  high.  Thieves  have 
caught  on:  There’s  metal  everywhere  and 
much  of  it  is,  understandably,  unguarded. 
Aluminum  guardrails.  Brass  fittings.  Bronze 
plaques.  Aluminum  siding.  Sprinkler  fit¬ 
tings.  Catalytic  converters  on  church  vans. 
Bronze  urns.  Storm  drain  grates.  Street 
signs.  Copper  downspouts.  The  nozzles  on 
Houston’s  fire  trucks’  hoses.  All  of  those 
have  been  reported  stolen.  You  don’t  notice 
how  much  metal  there  is  for  the  taking 
until  it  starts  getting  taken.  And,  Lane  says, 
"There’s  no  end  in  sight.” 

Where  800  Pounds  of 
Stolen  Copper  Goes 

For  Lane,  metal  theft  is  problem  number 
one.  "Matter  of  fact,”  he  says,  “this  morn¬ 
ing  we  arrested  six  guys  in  connection  with 
a  substation  break-in.”  The  men  allegedly 
stole  about  800  pounds  of  copper  wire  on 
one  of  those  large  wooden  spools  waiting 
to  be  used  as  electrical  wiring  at  a  Duke 


Energy  construction  site  in  Anderson,  S.C. 

Once  a  spool  like  that  is  stolen,  thieves 
will  cut  the  wire  into  4-  or  5-foot  sections, 
effectively  destroying  the  product  for  the 
owner.  At  that  point,  it’s  scrap.  Then  comes 
a  crude  burning  process,  usually  throwing 
the  wires  directly  into  a  fire.  Burn  sites,  like 
the  one  Lynch  found  in  Detroit,  are  reused. 
Lane  says  some  thieves  will  coat  the  'wires 
with  oil  or  other  accelerant,  load  them  in 
a  55-gallon  drum  and  drop  a  lit  match  in. 
Other  times,  oak  wood  is  put  in  the  bottom 
of  a  drum  and  sections  of  wire  are  dropped 
in  like  lengths  of  raw  spaghetti. 

That’s  what  the  six  men  Lane  was  talking 
about  were  allegedly  doing  when  a  patrol 
officer  saw,  and  smelled,  black  smoke  com¬ 
ing  from  behind  a  house  outside  of  town, 
in  an  area  suspected  of  metal  theft  activity. 
The  men  were  charged  with  grand  larceny, 
but  Lane  says  finding  them  was  luck. 

Imagine  if  the  police  hadn’t  happened 
onto  the  scene.  This  is  what  might  have 
happened:  The  thieves  would  have  finished 
burning  the  insulation  and  hosed  down  the 
wires,  piled  the  charred  copper  into  a  truck 
and  headed  for  the  scrap  yard. 

Many  businesses  have  contracts  with  the 
local  scrap  yard.  These  six  men  would  be 
peddlers— unknown  and  unaffiliated.  Some 
yards,  says  Steve  Solomon,  who  owns  Solo¬ 
mon  Metals,  a  scrap  yard  in  Massachusetts, 
won’t  deal  with  peddlers,  so  the  thieves  will 
send  in  someone  else  who  the  yard  can  trust. 
If  the  thieves  are  known  around  town  or 
have  reason  to  worry  they  might  be  discov¬ 
ered  (all  sources  said  you  need  an  ID  to  sell 
any  significant  amount  of  metal)  or  suspect 
someone  has  reported  their  metal  stolen  to 
the  scrap  yard,  they  will  travel  two  counties 
over  to  another  scrap  yard,  says  Lane. 

Say  the  scrap  yard  agrees  to  buy  the  sto- 


-THEO  LANE,  DUKE  ENERGY 

len  scrap.  If  the  price  of  copper  is  $3  per 
pound  at  the  time,  the  peddler  will  get  quite 
a  bit  less  than  that,  perhaps  60  to  75  cents 
on  the  dollar,  depending  on  several  fac¬ 
tors,  says  Bryan  McGannon,  a  spokesman 
for  the  Institute  of  Scrap  Recycling  Indus¬ 
tries  (ISRI),  a  trade  association  for  scrap 
yards.  Those  factors  include  the  quality  of 
the  scrap,  size  of  the  haul  and  the  region  of 
the  country.  In  this  case,  the  800  pounds 
of  copper  stolen  from  Duke  Energy  is 
off-the-spool,  industrial-grade  copper.  The 
dealer  agrees  to  pay  $2.50  a  pound  for  the 
copper  and  hands  over  $2,000  in  cash  to 
the  peddler.  “Not  bad  for  an  hour’s  work,” 
Lane  says.  “Why  would  you  break  into  a 
house  or  a  store?” 

If  the  scrap  dealer,  suspicious,  refuses 
to  buy  the  copper,  the  thieves  will  seek  out 
a  gray  market  dealer  with  lower  standards 
and  fewer  questions.  Lynch  at  DTE  has  dis¬ 
covered  such  rackets  and  says  the  thieves 
would  get  considerably  less  cash,  maybe  50 
cents  on  the  dollar  or  less,  $1.50  a  pound 
if  they’re  lucky.  (That  still  yields  $1,000.) 
The  gray  market  dealer  will  then  have  to 
sell  to  another  scrap  yard  that  trusts  him, 
for  the  higher  rate  of  $2.50.  Several  sources 
describing  this  market  said  the  dealer  might 
split  up  the  haul  and  sell  it  to  other  dealers 
or  directly  to  a  metal  manufacturer. 

However  the  metal  gets  to  a  legitimate 
scrap  yard,  the  dealer  adds  the  800  pounds 
of  stolen  metal  onto  a  pile  of  high-quality 
copper  scrap,  one  of  many  piles  sorted 
by  metal  type  and  quality.  Legitimization 
of  the  stolen  metal  has  begun;  the  stolen 
scrap  and  the  honest  scrap  are  mixed  into 
a  pile  or  compressed  together  into  a  bale, 
like  hay. 

The  scrap  yard  sells  the  bales  and  other 
sorted  scrap  to  metal  manufacturers,  tons 


30  www.csoonline.com  February  2007 


PHOTO  BY  BILL  CRAMER 


at  a  time,  for  something  closer  to  the  $3  per 
pound  going  rate,  maybe  $2.75.  The  metal 
manufacturers  then  mill  it.  It’s  smelted.  The 
stolen  copper  and  honest  copper  are  lique¬ 
fied  and  amalgamated,  swirled  together 
as  one.  Out  of  this  process,  says  ISRI’s 
McGannon,  comes  copper  cathode— the 
commodity  that’s  trading  at  $3  per  pound 
on  the  London  Metals  Exchange.  Cathode 
is  sheets  or  bars  of  copper,  like  red  gold. 
The  copper  manufacturers  sell  the  cathode 
to  companies  in  emerging  Asia  for  near  the 
going  rate,  $3  per  pound.  At  the  local  port, 
the  small  city  of  containers  that  have  just 
been  emptied  of  their  bric-a-brac  stamped 
“Made  in  China”  are  reloaded  with  the  cop¬ 
per  cathode,  put  back  on  the  boats  and  sent 
to  markets  around  the  globe. 

In  China,  the  companies  that  bought 
the  metal  extrude  it,  turn  it  into  products, 
probably  wires  or  plumbing,  and  sell  it  to 
a  contractor  there.  The  contractor  brings 
it  to  a  construction  site.  The  stolen  metal’s 
journey  is  over.  The  800  pounds  of  indus¬ 
trial  grade  copper  wires  that  were  meant  to 
carry  electricity  across  South  Carolina  are 
now  part  of  pipes  carrying  hot  water  to  a 
lavatory  on  the  37th  floor  of  a  fantastic  new 
high-rise  in  Shanghai. 


of  copper  wound  around  galvanized  metal, 
known  as  copperweld.  The  idea  was  to 
remove  the  value  of  the  target;  copperweld 
is  worth  far  less  than  pure  copper  grounds. 
And  unwinding  the  copper  from  the  cheap 
metal  rod,  Dunn  says,  would  take  hours. 

Nevertheless,  as  soon  as  he  put  such  a 
ground  in,  it  was  stolen.  “They  had  to  have 
been  in  there  for  hours  for  what?  A  hundred 
bucks  of  copper?”  says  Dunn. 

Some  metal  thefts  like  this  at  first  seem 
bizarre— Herculean  efforts  put  forth  for 
minimal  payoff.  But  they  make  sense  when 
put  in  the  context  of  crystal  meth.  Meth 
addicts  have  been  known  to  go  on  intense 
and  repetitive  activity  sprees  like  cleaning  a 
floor  with  a  toothbrush.  Carefully  unwind¬ 
ing  copper  seems  leisurely  by  comparison. 

Dunn  also  recalls  a  rural  stretch  where 
someone  apparently  went  utility  pole  to 
utility  pole  cutting  oft'  the  grounding  wire 
running  down  the  side  of  the  pole  as  high 
as  the  thief  could  reach,  for  miles.  Newrs 
stories  and  authorities  from  other  regions 
cite  further  examples:  In  Arizona,  some¬ 
one  climbed  a  pole  and  reeled  in  4,400  feet 
of  copper  wire  (a  very  heavy  load)  before, 
apparently,  falling  off  the  pole  and  fleeing, 
injured,  with  the  wire.  In  Ohio,  400  feet  of 

February  2007  www.csoonline.com  31 


How  the  Drug  Problem  Got 
to  Be  Mike  Dunn’s  Problem 

Smoking  or  injecting  methamphetamine 
produces  a  flash  of  unregulated  pleasure- 
dopamine  floods  the  brain— that  lasts  up 
to  12  hours.  Snorting  or  ingesting  it  pro¬ 
duces  euphoria,  relatively  less  intense  than 
a  flash  but  a  high  that  will  last  as  much  as 
a  day,  according  to  the  National  Institute 
on  Drug  Abuse  (NIDA).  One  form  of  meth¬ 
amphetamine,  crystal  meth,  also  known  by 
names  like  ice,  crank,  glass  and  tina,  effec¬ 
tively  combines  the  two.  It  creates  a  rush 
and  a  high. 

As  with  cocaine,  another  stimulant, 
users  of  crystal  meth  are  highly  alert;  they 
don’t  need  sleep.  Appetite  decreases  while 
activity  increases.  But  crystal  meth  stays 
in  the  system  12  times  longer  than  cocaine. 
With  all  that  time  and  energy,  high  users 
can  set  about  procuring  the  funds  that  will 
get  them  more  crystal  meth.  They  can,  for 
example,  break  into  an  electrical  substation 
to  take  grounding  wires  and  other  metal  to 
sell  at  a  scrap  yard  for  cash. 

To  combat  the  theft  of  copper  grounds 
from  substations,  Dunn  at  American  Elec¬ 
tric  Power  says  his  company  replaced  the 
all-copper  grounds  with  ones  that  consisted 


Metal  Theft 


aluminum  bleachers  was  nabbed.  Three 
men  in  Russia  used  a  blowtorch  to  cut 
5-foot  sections  of  narrow-gauge  rail  from 
a  train  line.  By  the  time  they  were  caught, 
they  had  cut  and  hauled  50  tons  of  it.  In 
one  week  in  the  Ukraine,  a  museum’s  his¬ 
toric  14.5-ton  locomotive  was  stolen  and  cut 
up  for  scrap,  and  so  was  an  11-meter  metal 
bridge,  the  only  road  in  and  out  of  a  town. 

A  single  high  dose  of  crystal  meth  has 
been  shown  to  damage  nerve  terminals  in 
the  brains  of  animals,  as  have  long  periods 
of  lower  doses.  The  more  one  uses  meth, 
the  more  one  needs  to  use  it.  Addiction 
comes  rapidly  and  leads  to  hard-to-fathom 
binges.  A  gram  of  crystal  meth  could  last  a 
week  when  you  start;  on  a  binge,  an  addict 
might  take  a  gram  every  three  hours  for 
several  days,  without  sleep  or  food,  accord¬ 
ing  to  NIDA.  Addicts  become  violent  and 
confused  and  eventually  exhibit  clinically 
psychotic  symptoms,  like  paranoia,  hallu¬ 
cinations  and  something  called  “formica¬ 
tion”— the  sensation  of  insects  crawling  all 
over  the  skin. 

When  addicts  stop  using  crystal  meth, 
they  don’t  suffer  physical  withdrawal 
symptoms  like  the  shakes.  Instead  they  are 
left  with  depression,  fatigue  and  a  crav¬ 
ing  so  intense  that  they  will  take  extreme 
measures— climbing  utility  poles  carrying 
deadly  amounts  of  live  electricity,  say— to 
get  more. 

It’s  hard  for  someone  sober  to  compre¬ 
hend  the  craving,  says  Joe  Frascella,  the 
director  of  the  Division  of  Clinical  Neuro¬ 
science  and  Behavioral  Research  at  NIDA. 
To  try,  he  says,  imagine  holding  your  breath 
for  one  minute.  “You  get  to  a  point,  near  the 
end,  where  all  you  can  think  about  is  taking 
a  breath,”  he  says.  “You’re  in  a  panic  state. 
A  drive  state.  Nothing  else  matters  except 
breathing.”  In  a  sense,  Frascella  says,  crav¬ 
ing  crystal  meth  is  not  unlike  living  in  the 
moment  before  you  drown,  for  days  on  end. 

It’s  important  to  point  out  that  not  all 
meth  addicts  are  metal  thieves  and,  like¬ 
wise,  not  all  metal  thefts  track  back  to 
meth  addicts.  No  scientific  data  exists 
yet  that  confirms  the  link  between  the 
two,  but  CSOs  and  law  enforcement  say 
the  link  exists.  Many  interviewed  for  this 


I  tell  the  security 
guys,  you  can’t 
depend  on  us  to  be 
the  gatekeeper.  I  tell 
them,  if  you  don’t 
want  people  to  take 
the  metal,  you’ve 
got  to  start  treating 
it  like  what  it  is— 

an  asset.” 

-STEVE  SOLOMON, 

OWNER  OF  SOLOMON  METALS 

story  mentioned  the  drug  unprompted. 
Indeed,  hot  spots  of  crystal  meth  abuse— 
Hawaii,  the  Southwest,  San  Diego,  Oregon, 
and  increasingly  the  rural  Midwest  and 
South— map  to  hot  spots  of  metal  theft.  In 
local  news  stories,  law  enforcement  officers 
make  the  connection  explicit.  “Anytime 
you’ve  got  copper  thefts,  you’ve  got  meth 
problems,”  said  Dakota  County  Sheriff  Don 
Gudmundson  in  a  September  story  in  the 
St.  Paul  Pioneer  Press.  “One  goes  with  the 
other.”  In  one  Detroit  case,  officers  found 
a  house  full  of  stolen  metal  and  several 
people  living  there.  One  man  was  shooting 
up  when  they  found  him  and  asked  to  finish 
before  they  arrested  him.  “We  know  drugs 
are  the  driving  force,”  says  Dunn,  who  is 
a  retired  commander  of  a  narcotics  unit 
in  Texas.  “I  don’t  think  people  are  stealing 
copper  to  buy  groceries.  I  really  don’t.” 

More  Than  Collateral  Damage 

The  link  between  addicts  and  metal  theft 
also  explains  the  irrationality  behind  some 
of  the  riskiest  metal  thefts  and  their  con¬ 
sequences.  Thieves  may  be  dishonest,  but 
they  are  also  rational.  A  thief  interested  in 


LEGITIMATE  SCRAP:  Bales  of  insulated 
copper  wire  are  ready  for  resale  at 
Solomon  Metals  in  Lynn,  Mass. 

making  money  isn’t  likely  to  break  into  a 
substation,  because  the  risk  of  death  is  so 
high  for  a  reward  of  only  a  few  hundred 
dollars’  worth  of  copper.  And  yet,  substa¬ 
tions  are  getting  broken  into  constantly,  and 
live  wires  are  being  cut,  utility  poles  being 
climbed. 

“Drugs  hijack  your  motivational  systems,” 
NIDA’s  Frascella  explains.  “Motivation  gets 
pushed  so  out  of  whack.” 

A  crystal  meth  addict,  whether  high  or 
craving  a  high,  isn’t  rational  about  what 
constitutes  risky  behavior.  He  lacks  judg¬ 
ment  and  can’t  control  his  motivations. 
“This  habit  removes  all  the  inhibitions  you 
normally  have  with  scary  environments, 
including  dangerous  equipment  like  an 
electrical  substation,”  says  Pete  Jeter,  lead 
physical  security  specialist  at  Bonnev¬ 
ille  Power  in  Oregon.  This  is  scientifically 
true,  according  to  Frascella,  who  notes  that 
meth  affects  inhibitory  parts  of  the  brain. 

Thus,  stories  of  wildly  risky  metal  thefts 
that  lead  to  death  are  legion  and  often 
harrowing.  “I  had  two  fatalities  in  a  30-day 
period,”  Lane  says.  “Both  were  cutting  wires 
off  the  pole.  I  think  the  first  guy  thought  he 
was  cutting  a  de-energized  line.  The  second 
one  is  a  real  mystery,  but  who  knows?  We 
don’t  have  a  witness  left.” 

“We  had  one  in  Kentucky  up  on  the  pole 
recently,”  Dunn  says.  “He  cut  the  wrong  wire, 
got  wrapped  up  in  the  lines  and  just  hung 
there  upside  down,  dead,  until  someone 
passed  by  and  noticed.”  Lynch  in  Detroit 
mentions  “quite  a  few  deaths  recently  in 
the  city”  including  one  electrocution  when 
a  thief  was  trying  to  steal  live  wires  out  of 
a  traffic  box. 

In  2006,  Jeter  remembers,  a  man  broke 
into  a  Clark  Public  Utilities  substation  and 
cut  out  copper  grounding  wires.  Then  he 
apparently  bumped  his  head  against  a  live 
wire,  at  which  point  he  became  the  ground¬ 
ing  wire.  Seventy-two  hundred  volts  coursed 
through  him,  and  he  burst  into  flames.  The 
body  burned  for  45  minutes  while  engineers 
turned  off  the  power  and  let  the  energy 
drain  out,  until  it  was  safe  to  go  in. 

Scrap  Man  in  the  Middle 

Solomon,  owner  of  Solomon  Metals,  also 


32  www.csoonline.com  February  2007 


PHOTO  BY  SCOTT  BERINATO 


INFRASTRUCTURE  LOG 


_DAY  27:  These  compliance  regulations  are  killing  us! 
Audits.  Inconsistencies.  Processes.  Time.  Money. 

I  feel  like  l’m  being  chased  by  regulators. 

_0h,  wait.  I  am  being  chased  by  regulators.  Run!!!!! 

_DAY  28:  I’ve  got  it:  IBM  Tivoli  middleware.  It  automates 
system  administration  to  standardize  compliance 
policies.  It  centralizes  processes  to  minimize  the 
headaches  of  new  and  ever-changing  regulations. 

And  it  helps  pinpoint  security  issues  before  they 
become  problems  and  maintains  business  integrity. 

_Gil  is  bummed  we  had  to  ditch  the  high-carb  diet. 


Better  manage  the  business  of  I.T.  at: 

AKEBACKCONTROL/COMPLIANCE 


■ 


lited  States  and/or  other  countries.  ©2006  IBM  Corporation 


IBM,  the  IBM  logc 
All  rights  reserved 


Mela!  Theft 


president  of  the  New  England  chapter  of 
ISRI,  walks  the  floor  of  his  warehouse,  past 
2,500-pound  bales  of  old  copper  wire,  past 
carburetors  compacted  together,  past  bar¬ 
rels  full  of  metal  shavings  and  boxes  over¬ 
flowing  with  shiny  cables,  their  color  so 
unmistakably  unique  that  it’s  got  the  same 
name  as  the  metal:  copper.  Solomon’s  look¬ 
ing  at  something  else,  though.  Thick  indus¬ 
trial  wire  wrapped  in  gray  insulation  and 
wound  around  a  plastic  spool— the  kind 
you’d  find  on  a  job  site.  “You  see?”  he  says. 
“It  could  be  an  electrician  who’s  done  with 
a  job  and  has  no  place  to  store  the  hundred 
feet  of  wire  left  on  the  spool,  so  he  sells  it 
for  scrap.” 

Solomon  is  at  the  tail  end  of  an  impas¬ 
sioned  defense  of  his  industry,  the  scrap 
yards,  which  he,  ISRI  and  others  feel  is 
served  far  too  big  a  piece  of  the  blame  pie 
for  the  metal  theft  problem. 

In  fact,  the  scrap  yards  are  kind  of  the 
hinge  of  the  metal  theft  supply  chain,  the 
thing  that  connects  the  supply  side,  those 
stealing  and  selling  scrap,  to  the  demand 
side,  those  buying  scrap  to  make  it  into  the 
new  metal.  Because  of  this  precarious  posi¬ 
tion,  CSOs,  the  police,  copper  manufactur¬ 
ers,  everyone  seems  to  point  fingers  at  the 
scrap  yards  as  the  place  to  look  for  both 
the  problem  and  the  potential  solution.  An 
uneasy  peace  reigns  between  scrap  dealers 
and  security  executives,  especially  at  the 
utilities.  While  they  work  together,  sharing 
intelligence  on  thefts  and  trying  to  enforce 
secure  practices  and  awareness  of  the  prob¬ 
lem,  both  sides  seem  to  think  that  the  other 
could  be  doing  more. 

“The  scrap  metal  industry  is  to  some 
degree  an  illicit  market,”  says  Duke  Ener¬ 
gy’s  Lane.  “You’ve  got  legitimate  players,  no 
doubt,  but  also  a  whole  lot  of  illegitimate 
players.”  Lane’s  comments  are  echoed  by 
others.  A  September  2006  article  in  the 
Long  Island  Business  News  on  the  topic 
called  scrap  yards  “an  ideal  fence”  for  sto¬ 
len  metal. 

Most  security  executives,  like  Lane,  pref¬ 
ace  their  comments  about  the  scrap  industry 
by  saying  they  understand  that  most  scrap 
dealers  are  honest.  Jeter  cites  “extraordi¬ 
nary  cooperation”  between  CSOs  and  scrap 


Ways  to  build 
awareness 


Physical 
defense  moves 


Relationship 
building— and  legal 
follow-through 


□  Conduct  community 
meetings. 

□  Create  brochures  for 
public;  send  to  residents 
via  bills,  newspapers. 

□  Create  brochures  for  law 
enforcement  that  show 
pictures  of  stolen  metal. 

□  Conduct  media  interviews. 

□  Create  theft  alert  systems 
in  conjunction  with  scrap 
dealers  and  police. 

□  Create  reward  program 
for  useful  tips. 


□  Conduct  risk  assessment 
to  determine  most 
sensitive  sites  to  fortify. 

□  Consider  corrugated 
steel  link  fencing,  razor 
wire  and  surveillance. 

□  Add  signs  with  contact 
information  for  reporting 
suspicious  activity. 

□  Add  danger  signs. 

□  Consider  marking  (trace 
coatings)  metals  for 
unique  identification. 


□  Work  with  police  on 
investigations. 

□  Work  with  local  and 
state  officials  to 
clarify  and  strengthen 
statutes  regarding 
rules  of  metal  sales. 

□  Work  with  federal 
authorities  on  linking 
metal  theft  to  critical 
infrastructure  protection. 

□  Prosecute  perpetrators  to 
the  fullest  extent  possible. 


SOURCES:  RONALD  NIEBO.  NORTH  AMERICAN  ELECTRIC  RELIABILITY  COUNCIL;  CSO  REPORTING 


dealers.  Lynch  says  some  busts  in  his  area 
have  come  from  tips  by  scrap  yards. 

Usually,  though,  there  is  a  “but.”  Lynch: 
But  “some  are  operating  on  the  fringes.” 
Jeter:  But  “we’re  talking  with  county  and  fed¬ 
eral  prosecutors  about  enhanced  legislation 
regulating  the  scrap  industry.”  Assante:  But 
“the  scrap  yards  know  much  of  what’s  coming 
in  is  stolen,  and  they  buy  it  anyway.” 

Part  of  Solomon’s  rebuttal  includes  the 
fact  that  his  company,  like  most  reputable 
scrap  yards,  retains  copies  of  IDs  from  sell¬ 
ers.  It  also  does  not  pay  cash  for  metal.  ISRI 
has  created  a  theft  alert  system  so  members 
know  what  metal  has  been  reported  stolen 
where.  ISRI  also  has  published  recom¬ 
mended  practices  for  avoiding  stolen  scrap 
and  set  up  an  awareness  program  with  the 
National  Crime  Prevention  Council. 

More  than  all  that,  though,  Solomon’s 
rebuttal  is  the  half-used  spool  of  wire.  “It’s 
new  wire,  just  like  a  stolen  spool  would  be. 
How  are  you  going  to  tell  this  from  stolen 
wire?  You’re  not.  Wire  is  wire.  Scrap  metal 
is  scrap  metal.  You  almost  have  to  go  by  the 
character  of  the  person  coming  in.”  And 
even  then,  Solomon  says,  inside  jobs  are 
common.  An  employee  of  a  reputable  firm 
may  show  up,  and  the  scrap  dealer  would 
have  little  reason  to  distrust  him.  Can  the 
scrap  yards  be  expected  to  figure  out  who’s 
honest  and  who  isn’t?  “We’re  not  a  policing 
agency,”  says  Solomon.  “I  tell  the  security 


guys,  you  can’t  depend  on  us  to  be  the  gate¬ 
keeper.  I  tell  them,  if  you  don’t  want  people 
to  take  the  metal,  you’ve  got  to  start  treating 
it  like  what  it  is— an  asset.” 

He  also  tells  them  scrap  dealers  are  vic¬ 
tims  too.  Tons  of  metal  is  stolen  from  scrap 
yards,  according  to  an  article  in  ISRI’s  mag¬ 
azine,  Scrap.  In  Georgia,  13  tons  of  used  bev¬ 
erage  cans.  In  Pennsylvania,  32,000  pounds 
of  aluminum.  More  than  50,000  pounds  of 
copper  in  Tennessee  and  Louisiana. 

The  problem,  Solomon  says,  really  is  the 
1  percent  of  disreputable  dealers,  “peddler 
shops,”  he  calls  them.  No  matter  what  con¬ 
trols  scrap  dealers  put  in  place,  it  won’t  stop 
the  theft,  it  just  moves  the  transactions  to 
these  shops,  to  a  grayer  market.  Solomon 
believes  the  finger-pointing  at  his  industry 
stems  from  stereotypes  of  the  scrap  indus¬ 
try,  which  originated  mostly  from  family- 
owned  businesses  like  his  (Solomon  Metals 
was  started  by  his  grandfather  62  years  ago). 
People  assume  they’re  all  peddler  shops,  a 
bunch  of  shady  operations. 

Still,  Solomon  says  he  brought  three 
security  executives  from  utilities  to  the 
New  England  ISRI  meeting  in  December. 
“We  should  be  working  together  to  fight 
the  problem,  not  fighting  each  other.  My 
message  to  the  security  industry  is  that  the 
scrap  industry  is  not  trying  to  be  the  bad 
guy.  We’re  doing  what  we  can.  We’re  caught 
in  the  middle  here.” 


34  www.csoonline.com  February  2007 


Advertisement 


ADVANCED  AUTHENTICATION  IN  THE  DIGITAL  WORLD 

STRONG  AUTHENTICATION  OF  USERS  AND  TRANSACTIONS  IS  CRITICAL  IN  THE  PROVISION  OF  ANY 
SECURE  E-BUSINESS  SOLUTION. 


Password  protection,  even  though  widely  accepted 
and  used,  is  a  weak  method  of  authenticating  users 
onto  online  services.  The  FFIEC  specifically  states, 
"The  agencies  consider  single-factor  authentication, 
as  the  only  control  mechanism,  to  be  inadequate  for 
high-risk  transactions  involving  access  customer 
information  or  the  movement  of  funds  to  other 
parties.  Financial  institutions  offering  Internet-based 
products  and  services  to  their  customers  should  use 
effective  methods  to  authenticate  the  identity  of 
customers  using  those  products  and  services. 
Account  fraud  and  identity  theft  are  frequently  the 
result  of  single-factor  [e .  g . ,  ID/password) 
authentication  exploitation."  In  addition,  the  FFIEC 
stresses  that:  "An  effective  authentication  method 
should  have  customer  acceptance,  reliability 
performance,  scalability  to  accommodate  growth,  and 
interoperability  with  existing  systems  and  future  plans." 

This  is  due  to  passwords  that  can  be  stolen,  are 
subject  to  interception  and  eavesdropping  and  even 
encrypted  passwords  are  not  always  safe  from 
replay  attacks.  Users  can  be  particularly  poor  at 
remembering  passwords  and  as  a  result,  write  them 
down,  use  the  same  passwords  for  many 
applications  and  don’t  always  change  them  as  often 
as  required.  To  reduce  the  security  risk  created  by 
the  use  of  passwords,  stronger  authentication 
methods  have  been  developed  to  provide  businesses 
with  the  correct  level  of  security,  and  meeting  the 
requirements  of  FFIEC  and  FIPS  201/HSPD  12. 

Since  the  emergence  of  the  Internet,  building  a 
successful  e-business  or  e-government  service  has 
become  vital  in  managing  profitable  business  operations. 
Proving  the  identities  of  the  participants  involved  in  a 
transaction,  and  ensuring  data  cannot  be  read  or 
modified  by  entities  without  proper  authorization,  is 
essential  in  safeguarding  e-business  transactions. 


•  Single  enterprise-wide  architecture  for 
identity  management  and  authentication 

•  Integrated  solution  for  smart  cards, 
tokens,  PKI  &  EMV  Authentication, 

FIPS  201  IDs 

•  Genuinely  new  approach  delivering 
flexible  and  dependable  trust 

•  Making  security  an  enabler  for  e-business 


SafeSign  provides  an  advanced  authentication  solution 
able  to  address  all  of  your  security  concerns;  establishing 
trust  with  your  customers  and  enhancing  both  internal 
and  external  relationships.  The  SafeSign  end-to-end 
architecture  makes  security  a  real  business  enabler, 
delivering  genuine  Return  on  Investment. 

SafeSign  is  an  identity  management,  user  authentication 
and  transaction  security  solution  that  enables  you  to 
securely  authenticate  user  identities.  Utilizing  the  latest 
web  technology,  SafeSign  is  user  friendly  and  easy  to 
configure  and  manage.  Based  on  international  standards 
for  e-business  and  security,  SafeSign  removes  the  need 
for  proprietary  systems  and  enables  you  to  meet  the 
highest  levels  of  security. 

Created  to  offer  multi-channel  advanced  authentication 
for  secure  applications,  SafeSign  can  be  used  by  many 
applications  in  different  parts  of  the  business,  supporting 
a  wide  range  of  digital  identities.  It  is  unique  in  providing 
support  for  multiple  authentication  schemes  within  a 
single  application  -  adding  multiple  layers  of  security  to 
your  existing  authentication  operations  and  transaction 
processing  with  minimum  integration  effort. 

Whether  you  are  looking  for  security  for  your  Internet 
applications,  to  authenticate  your  remote  users  or 
protect  transactions  in  your  e-Commerce  solutions, 
SafeSign  will  provide  you  with  access  to  all  the  security 
you  need. 

For  more  information  visit  our  website  at 
www.thalesesec.com  or  call  us  at  1-888-744-4976  / 
954-888-6200. 

Come  visit  Thales  e-Security  at  the 
RSA  Show  -  Booth  #2446. 


safe  THALES 


Metal  Theft 


Beyond  Awareness  Programs 

Of  all  the  techniques  DTE’s  Lynch  has 
employed  in  Detroit  to  combat  the  metal 
theft  epidemic  there,  perhaps  the  most  effec¬ 
tive  has  been  an  awareness  program  that  in 
effect  amounts  to  reminding  the  police  to 
look  up.  “They’re  trained,  you  know,  to  look 
for  criminals  banging  in  doors,”  says  Lynch 
who  started  the  program  in  2005.  “We  just 
say,  look  up  in  the  air,  and  since  then  we’ve 
had  more  than  a  dozen  arrests  made  on  the 
poles.  That’s  outstanding.” 

Awareness  programs  for  citizens  and 
police,  of  course,  dominate  CSOs’  attempts 
to  combat  metal  theft.  Fliers.  A  media 
campaign.  Meetings  with  police,  city  and 
state  officials.  Lynch  has  augmented  these 
efforts  with  a  rewards  program— $1,000  for 
each  useful  tip.  Dunn  of  American  Electric 
Power  has  set  up  a  hotline  for  reporting 
suspected  thefts.  Lane  at  Duke  Energy  also 
engages  local  sheriffs  of  South  Carolina, 
reminding  them  of  the  laws  that  require 
dealers  to  record  a  legitimate  ID  for  any¬ 
one  selling  more  than  25  pounds  of  scrap. 
“We’ve  seen  times  when  they’ll  take  a  library 
card  for  ID,”  Lane  says.  “We’re  also  trying  to 
make  sure  the  district  attorneys  know  this 
needs  to  be  prosecuted  as  a  serious  crime. 
We  don’t  want  them  to  plea-bargain  out  or 
dismiss  the  case.”  In  Oregon,  Jeter  is  doing 
the  same. 

Several  CSOs  at  the  utilities  are  work¬ 
ing  on  lobbying  programs  at  the  state  and 
federal  levels  that  would  link  metal  theft 
to  terrorism  through  the  fact  that  utilities 
are  considered  critical  infrastructure.  More 
severe  penalties  may  stem  the  tide,  but 
some  argue  that  it’s  not  the  severity  of  the 
penalty  that  staves  off  crime,  but  rather  the 
likelihood  of  getting  caught,  which  remains 
low,  especially  in  rural  areas.  Plus,  penal¬ 
ties  and  chances  of  getting  caught  are  risk 
propositions  lost  on  the  meth-fueled  thief. 

Another  way  CSOs  have  sought  to  win 
public  support  is  to  position  metal  theft  as 
a  public  safety  issue:  Power  outages  disrupt 
local  economies.  Dangerously  exposed  live 
wires  and  ungrounded  substations  can 
harm  or  kill  innocent  passersby. 

As  for  protecting  the  assets,  CSOs  are 
active  there  too.  Lynch’s  site  after  the  38 


REWARD:  Michael  Lynch,  CSO  of  DTE  Energy, 
hands  a  $1,000  check  to  a  Detroit  citizen 
who  tipped  him  off  about  a  metal  theft. 


breaking  and  entering  cases  was  rein¬ 
forced  with  an  8-foot  corrugated  steel 
wall  trimmed  with  razor  ribbon.  So  far, 
it  has  held  up.  Others  are  adding  CCTV 
and  intrusion  detection  systems  (as  are 
some  scrap  yards).  But,  “It’s  not  practical 
to  consider  these  measures  as  an  answer,” 
says  Dunn.  “These  fences  cost  three  or  four 
times  what  a  normal  fence  costs,  and  I’ve 
got  3,800  substations.”  Assante  mentions 
“dedicated  warehouses”  that  securely  store 
metal,  “but  that’s  a  lot  of  cost,  and  when 
work  is  localized,  they  want  the  metal 
[available],  not  waiting  in  some  central 
warehouse.” 

Metal  theft,  then,  has  become  another 
risk  assessment  project:  Where  are  the 
most  significant  targets  in  which  CSOs  need 
to  invest  the  extra  capital  in  defenses? 

CSOs  have  considered  marking  metal 
too.  The  ideas  range  from  simply  spray¬ 
painting  the  wire  to  using  high-end  tools 
to  put  microscopic  signatures  on  the  metal 
itself.  But  this,  too,  is  expensive  and  it  has 
limited  application,  they  say.  After  all  that 
marking,  the  most  likely  time  a  company 
would  use  it  to  identify  its  stolen  metal  is 
after  it  has  been  chopped  up  into  scrap. 

One  of  the  most  controversial  proposals 
floated  for  controlling  the  metal  theft  mar¬ 
ket  is  a  program  called  “tag  and  hold,”  words 
that  make  Solomon  sneer.  “We  don’t  want 
to  go  into  that,”  he  says.  In  tag-and-hold 
programs,  scrap  yards  tag  incoming  scrap 
with  a  unique  ID  and  put  out  an  all-points 
bulletin  on  contents  of  each  lot.  Then  they 


hold  the  scrap  for  a  week  while  the  CSOs, 
investigators  and  police  look  for  matches 
with  reports  of  stolen  metal. 

Solomon  is  skeptical.  “It’s  a  good  idea  if 
you  want  to  shut  the  scrap  industry  down,” 
he  says,  noting  that  much  of  his  metal 
moves  through  the  yard  in  less  than  a  week. 
Holding  it  not  only  would  affect  his  abil¬ 
ity  to  do  business— what  if  prices  changed 
while  he  was  sitting  on  the  metal?— but 
there  isn’t  the  space  to  hold  it.  It  would 
be  like  stopping  the  middle  car  of  a  train 
while  all  the  cars  ahead  and  behind  tried 
to  keep  going. 

A  $1,000  Drop  in  the 
Metal  Bucket 

Back  in  Detroit,  behind  the  box  store,  Lynch 
completely  douses  the  fire,  and  the  thin 
man  in  the  shiraz  sweatshirt  yells  at  him. 
But  the  man  does  not  attack.  Defeated,  he 
simply  walks  away,  and  Lynch  can’t  stop 
him.  “My  sense  is  he  was  using  the  proceeds 
for  drugs,”  so  he  probably  just  wanted  to 
move  on  to  find  more  proceeds,  Lynch  says 
later.  He  let  him  go;  he  had  pictures.  He 
gave  the  pictures  to  the  police  who,  accord¬ 
ing  to  Lynch,  found  the  man  and  arrested 
him  on  suspicion  of  metal  theft. 

Lynch  returned  to  the  DTE  Energy  cus¬ 
tomer  who  had  first  provided  the  burn-site 
tip  to  grant  him  his  $1,000  reward.  He  had 
given  several  of  these  checks  before,  the  first 
of  which  went  to  a  Detroit  resident  who 
noticed  some  guys  climbing  a  pole.  That  tip 
led  to  their  arrest.  Lynch  brought  along  a 
cameraman  that  time  to  capture  the  classic 
photo  op.  In  the  picture,  Lynch  beams.  The 
tipster  smiles.  They  shake  hands.  Lynch 
hands  over  the  check. 

But  across  the  street,  dead  center  of  the 
picture,  stands  a  crumbling  house.  The  kind 
of  house,  Lynch  says,  where  addicts  go  to 
get  high,  after  they’ve  stolen  metal  and  sold 
it  for  the  cash  they  need  to  buy  ice.  “Metal 
theft  is  the  number-one  issue  for  us,”  Lynch 
says.  “With  utilities,  it’s  more  pressing  than 
terrorism  or  anything  else.  This  issue,  every¬ 
one  is  experiencing  it.”  ■ 


E-mail  Senior  Editor  Scott  Berinato  at  sberinato@ 
cxo.com. 


36  www.csoonline.com  February  2007 


PHOTO  COURTESY  OF  DTE  ENERGY 


It’s  OK  to  show  off  to  your 
friends  that  you  were  in  CSO. 


Spyware  Up,  Incident  Reports  Down  in  Second  Annual  "E-Cnme  Watch  Survey' 


PEOPLE  POWER 

Tin*  best  business 

cnrttinuilv  pkmnnt 


THE  RESOURCE  FOR  SECURITY  EXECUl 


bcstvoyilu 
pftsBnt  them. 

.  '•oil's-.'.-./.'  ■ 

<KK>„MP. 

BAD  COP 

-jE^rvn  *'<y  hm 
*  rntareunH-nt  lyp« 
dcm  I  mskn  l>w  b*(t 

CSO  WttofM-and 
«*b  ji  to  do  obout  IL  ' 


ittingaPath 
To  the  Future 


Learn  why  strategic  planning  matters— 
and  how  to  use  it  to  sharpen  your  security  program. 
Take  our  five-step  course!  ^  '  - 

‘.I*-'  • 


But  it’s  even  better  to 
show  your  customers. 


What  better  way  to  inform  your  key  customers 
of  your  editorial  coverage  in  CSO  than  through 
customized  Editorial  Reprints? 

Leverage  the  positive  impact  of  your  editorial 
coverage  by  using  reprints  for  direct  mail 
campaigns,  seminar  promotions,  employee 
communications,  recruiting  and  marketing 


programs.  Let  us  enhance  your  reprints  with  your 
company’s  logo,  address,  and  sales  message. 
Reprints  make  great  SALES  tools  for  trade  shows, 
mailings  or  media  kits. 

And  while  a  framed  copy  of  your  article  will  look 
neat  on  your  wall,  it  will  look  even  better  in  the 
hands  of  your  customers. 


CSO 

The  Resource  for 
Security  Executives 


For  more  information  on  customized  editorial  reprints  in  volume  quantities,  contact: 
Jennifer  Eclipse  at  212.221.9595  x237  or  email  jeclipse@parsintl.com. 

Website:  www.magreprints.com/quickquote.asp 


(Definitely  N ot  Safe?) 

New  ATTACKS  ON  THE  INTERNET’S  DOMAIN  NAME  SYSTEM 
KEEP  CISOS  GUESSING.  HERE’S  WHAT  YOU  CAN  DO  ABOUT  IT. 

BY  ERIK  SHERMAN 


HEN  IT  COMES  TO 

the  Web’s  domain  name  system  (DNS),  many  otherwise  vigilant  CSOs  heed  the 
adage  of  leaving  well  enough  alone.  It’s  understandable,  as  DNS  has  for  years  reli¬ 
ably  allowed  people  to  use  domain  names  (such  as  www.csoonline.com )  with  their 
Web  browsers  rather  than  having  to  remember  remarkably  non-mnemonic  IP 
addresses  (such  as  64.28.79.93). 

Unfortunately,  for  all  its  success,  DNS  is  one  area  in  which  what  you  don’t 
know  can  hurt  you— badly.  Despite  well-publicized  attacks  on  domain  name  serv¬ 
ers  in  2000  and  2001,  evidence  suggests  that  many  companies  simply  have  not 
taken  the  steps  necessary  to  protect  this  vital  part  of  their  networks.  Experts  dif¬ 
fer  on  just  how  much  danger  companies  generally  face.  However,  they  seem  to 

agree  that,  depending  on  the  circumstances  and  the 
company,  the  results  could  include  electronic  attacks 
and  unknowingly  providing  confidential  information 
to  competitors.  Some  companies  aren’t  just  leaving  the 


IN  THIS  STORY  New  attacks  on 
domain  name  system  servers  ■  The 
problem  with  DNSsec  ■  Defensive 
steps  for  CISOs 


www.csoonline.com  February  2007 


ILLUSTRATION  BY  JONATHAN  TWINGLEY 


Internet  Security 


back  door  unlocked— they’re  taking  out  the 
hinge  pins  and  removing  the  door  entirely. 

“There  is  a  lack  of  appreciation  of  just 
how  damned  vulnerable  DNS  is,”  says  Lloyd 
Hession,  CSO  for  BT  Radianz.  Indeed,  the 
U.S.  Department  of  Homeland  Security’s 
Computer  Emergency  Readiness  Team 
(CERT)  has  recently  reported  a  rise  in  dis¬ 
tributed  denial-of-service  (DDoS)  attacks 
using  DNS.  No  matter  how  safe  DNS  may 
seem,  companies  need  to  stay  alert.  Here’s 
a  quick  roundup  of  DNS  vulnerabilities  and 
attack  methods  CISOs  should  understand. 

OPEN  TO  MISUSE 

WHAT  MAKES  DNS  such  a  vulnerable 
part  of  the  Internet  is  the  range  of  exploits 
it  makes  possible.  DDoS  attacks  are  the  best 
known  because  they  were  the  basis  of  some 
prominent  attacks  a  few  years  ago.  DNS 
servers  can  be  the  targets  of  these  attacks, 
but— and  this  is  less  widely  known— hackers 


can  use  DNS  servers  to  perpetrate  a  DDoS 
attack  on  a  third  party,  essentially  ampli¬ 
fying  the  volume  of  data  hitting  the  target 
system  by  upwards  of  4,000  percent. 

On  one  hand,  says  Marty  Lindner,  senior 
member  of  the  technical  staff  at  the  Carne- 
gie-Mellon  University  CERT/CC,  DDoS  can 
be  executed  by  bombarding  a  DNS  server  to 
block  real  traffic  from  getting  in  and  effec¬ 
tively  keeping  those  users  off  the  Internet. 
Perpetrators  can  also  flip  the  tactic,  creating 
spoofed  requests  to  a  DNS  server  that  sup¬ 
ports  recursion.  Recursion  is  the  method 
by  which  a  name  server  hunts  down  the  IP 
address  of  an  unfamiliar  domain  name  by 
working  down  trees  of  name  servers  that 
provide  authoritative  information  on  given 
parts  of  the  Internet.  The  original  name 
server  receives  one  packet  of  information 
after  another  that  each  provide  the  equiva¬ 
lent  of  directions  to  reach  the  destination, 
and  passes  them  all  on  to  the  requester. 


When  the  initial  request  is  spoofed  with  the 
address  of  the  hacker’s  target,  all  that  data 
goes  whistling  back  to  the  target.  “It  doesn’t 
take  more  than  10  or  20  name  servers  to 
mount  a  denial-of-service  attack  against 
another  target,”  says  Cricket  Liu,  vice  presi¬ 
dent  of  architecture  at  network  appliance 
vendor  Infoblox  and  coauthor  of  the  book 
DNS  and  BIND. 

Recursion  is  just  one  way  to  have  a  name 
server  send  bucketfuls  of  data  to  a  target. 
Another  is  zone  transfer,  part  of  the  DNS 
protocol  that  enables  any  name  server  to 
replicate  its  zone  data  to  other  name  servers. 
One  request  can  create  a  response  with  all 
the  information  for  that  name  server’s  zone: 
computer  names,  IP  addresses  and  possibly 
other  information  that  describes  the  type  of 
hardware  and  the  version  of  operating  sys¬ 
tem.  According  to  Liu,  with  a  big  enough 
zone,  the  transfer  can  take  15  minutes  or 
longer  to  complete.  In  addition  to  creating 


Corporate  Data  Theft  Hurts. 


RecordTS 


Confirm  your  network  is  secure  and  compliant 
with  RecordTS-  Your  Terminal  Services  & 
Remote  Desktop“Security  Camera 

What  can  RecordTS  do  for  you? 

•  Records  all  Terminal  Server  Sessions 

•  Records  Every  Move  Users  Make 

•  Provides  More  Information  Than  Event  Logs 

•  Assists  in  Detecting  Unethical  User  Activity 

•  Files  May  be  Useful  in  Legal  Proceedings 

•  Monitors  Activity  in  Sensitive  Files  &  Programs 

•  Citrix  Version  COMING  SOON! 

Start  Monitoring  Today  with 
our  30  Day  Trial. 


Visit  www.TSFactory.com  to  learn  more. 

<£■  2006  TSFactory.  All  rights  reserved.  The  names  of  actual  products  and  companies  mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 


Factory 


bandwidth-choking  amounts  of  data,  these 
zone  transfers  use  the  Transmission  Control 
Protocol  (TCP)  rather  than  the  lower-over- 
head  but  more  easily  spoofed  User  Data¬ 
gram  Protocol  (UDP)  commonly  favored  by 
other  Net-based  services.  That  makes  zone 
transfer  more  resource  intensive,  putting  a 
greater  strain  on  both  the  generating  name 
servers  and  the  receiving  machine. 

Zone  transfer  also  represents  a  disturb¬ 
ing  amount  of  detail  that  a  hacker  can 
legally  glean  from  a  target  without  probing. 
Furthermore,  this  information  can  provide 
significant  clues  to  the  activity  of  a  com¬ 
pany  and  where  it  devotes  its  strategic  IT 
resources— a  boon  for  rivals  seeking  com¬ 
petitive  intelligence. 

Because  most  IT  departments  see  DNS 
as  reliable,  they  often  barely  monitor  their 
name  servers.  The  DNS  servers  sometimes 
don’t  run  through  the  firewall,  according  to 
CERT/CC’s  Lindner,  making  them  a  perfect 
way  for  someone  who  has  broken  into  a  net¬ 
work  to  tunnel  sensitive  data  out  by  piggy¬ 
backing  it  on  DNS  packets  that  no  one  will 
notice.  “[What  hacker]  cares  if  it  takes  a 
week  to  get  the  data  out?”  asks  Lindner. 

Some  data  takes  significantly  less  time 
to  obtain.  Dan  Kaminsky,  director  of  pen¬ 
etration  testing  for  security  consultancy 
IOActive  and  longtime  DNS  critic,  notes 
that  because  of  the  way  DNS  caches  data, 
there  is  much  that  someone  can  pick  up 
using  a  technique  called  cache  snooping. 
“If  your  internal  name  server  is  also  shared 
and  accessible  on  the  outside  world,  then  I 
can  see  if  company  A  is  e-mailing  company 
B,  how  often  are  people  going  to  Google  or 
Yahoo,”  he  says.  Again,  it’s  not  necessarily 
anything  that  will  physically  compromise  a 
network,  but  it’s  still  information  you  don’t 
want  a  hacker  or  competitor  to  get. 

And  if  DNS  runs  on  a  server  that  also 
runs  other  network  services,  something 
that  Kaminsky  has  seen  at  some  companies, 
a  compromise  of  the  other  services  could 
render  the  name  server  vulnerable  as  well. 

TAKING  CONTROL 

ASIDE  FROM  becoming  a  data  sieve, 
DNS  is  subject  to  more  subtle  attacks  via 
tampering  and  cache  poisoning.  By  changing 


Desire  Network  Safety? 

Experts  recommend  these  steps  to 
protect  DNS 


A  little  discipline  can  solve  domain 
name  system  (DNS)  woes.  The  only 
requirement  is  name  servers  that  allow 
proper  configuration.  Experts  suggest: 

Limit  recursion.  Name  servers  do 
need  to  offer  recursion  to  name  resolv¬ 
ers  that  are  actually  on  your  network, 
but  there  is  no  reason  to  make  recur¬ 
sion  available  to  any  entity  on  the  Web. 
Any  server  for  internal  name  resolution 
should  remain  within  the  firewall. 

Play  zone  defense.  Allow  zone 
transfers  only  to  authorized  secondary 
name  servers.  If  the  network  doesn’t 
recognize  who  wants  information,  it 
shouldn’t  give  anything  away. 

Monitor  DNS.  Regularly  monitor 
name  servers  for  unusual  spikes  in 
traffic  and  in  the  amount  of  data  either 
coming  in  or  going  out. 

Use  your  firewalls  and  routers. 

Look  for  incoming  traffic  on  port  53. 


If  there  are  DNS  responses  headed 
for  a  network  host  that  isn’t  running  a 
name  server,  something  is  wrong  and 
you  can  filter  the  traffic  to  head  off  the 
attack. 

Update  your  name  server  software. 

Without  the  right  versions  and  patches, 
the  software  is  even  more  susceptible 
to  attack  or  manipulation. 

Reexamine  your  load  balancing. 
Some  companies  use  a  DNS-based 
approach  to  load  balancing.  Experts 
say  that’s  relying  on  a  weak  link. 

Work  with  your  ISP.  If  you  use 
hosted  DNS,  negotiate  with  your  ISP 
to  put  upstream  filtering  into  place. 

Keep  DNS  by  itself.  Don’t  run 
DNS  on  a  server  that  also  runs  other 
network  services,  like  a  Web  or  mail 
server.  A  successful  exploit  on  the  other 
service  could  leave  DNS  vulnerable. 

-E.S. 


the  actual  lookup  data  in  the  DNS  cache,  an 
attacker  can  replace  a  server’s  real  IP  address 
with  one  that  will  lead  a  user  to  the  attack¬ 
er’s  own  machine.  Until  the  cache  eventu¬ 
ally  refreshes,  users  will  be  misdirected  with 
potentially  no  clue  to  what  actually  hap¬ 
pened.  Hackers  can  use  this  attack  to  direct 
traffic  away  from  the  website  and  potentially 
capture  private  information  from  users. 
This  is  the  tactic  known  as  “pharming”  (see 
“After  Phishing?  Pharming!”  www.csoonline 
.  com/read/ 100105). 

“It’s  a  hard  attack  to  detect,”  says  Lind¬ 
ner,  “because  if  you’re  running  a  big  website 
and  all  of  a  sudden  no  one  is  coming  to  your 
website,  you  know  something’s  wrong.  But 
if  a  half  dozen  name  servers  have  cache  poi¬ 
soning,  it’s  too  small  [a  diversion]  and  you 
won’t  notice  it.” 

There  has  been  talk  for  years  of  making 
DNS  bulletproof  by  adding  a  public-key 
cryptography  layer  through  an  approach 
called  DNSsec.  “DNSsec  tries  to  solve  the 
spoofing  problem  that  SSL  has  already 


solved,  and  the  extra  round-trip  for  DNS 
queries  to  get  the  public-key  record  only 
adds  latency  [to  data  traffic],”  says  Nate 
Lawson,  a  senior  researcher  at  Cryptogra¬ 
phy  Research.  Public-key  cryptography  also 
requires  companies  to  authenticate  them¬ 
selves  to  a  certificate  authority  and  pay  for 
the  use  of  a  certificate,  reducing  the  chance 
that  many  will  buy  in  to  the  system.  Finally, 
according  to  Kaminsky,  a  fundamental 
problem  is  getting  all  the  root  domains  to 
sign  up.  “Everyone  above  you  in  the  DNS 
tree  must  be  signed,”  he  says.  “Everyone  has 
to  get  on  board  or  it  doesn’t  work.” 

Despite  these  concerns,  DNS  isn’t  the 
biggest  security  worry  a  company  can  have. 
(“E-mail’s  in  way  more  dire  straits,”  Kamin¬ 
sky  says.)  Yet  it  can  still  cause  significant 
problems,  and  chances  are  good  that  any 
company  has  potential  problems  with  at 
least  some  of  its  DNS  name  servers.  ■ 

Erik  Sherman  is  a  freelance  writer  based  in  Massachu¬ 
setts.  Send  feedback  to  csoletters@cxo.com. 


February  2007  www.csoonline.com  41 


Organized  retail  crime  costs 
retailers  billions  of  dollars  each  year, 
and  Limited  Brands’  John  Talamo 


By  Sarah  D.  Scalet 


OHN  TALAMO  KNOWS  exactly  how 
profitable  shoplifting  can  be— and  that’s 
what  drives  him  nuts. 

As  vice  president  of  loss  prevention  at 
Limited  Brands  in  Columbus,  Ohio,  Talamo 
has  made  it  his  mission  to  fight  organized 
retail  crime— groups  of  professional  shoplifters  who  can  steal  $25,000  worth  of  merchan¬ 
dise  from  a  mall  in  one  fell  swoop,  then  turn  around  and  sell  the  loot  to  a  fencing  opera¬ 
tion  that  offers  it  to  the  public  at  half  the  retail  price.  According  to  one  Limited  informant, 
a  good  “boosting”  operation,  as  these  crews  of  shoplifters  are  called,  can  net  more  than 
$40,000  in  one  day— “not  bad  for  a  day’s  worth  of  shopping,”  Talamo  quips. 

No  wonder  organized  retail  crime  (called  ORC  here)  is  a  booming  business.  In  the  last 
year,  Victoria’s  Secret— Limited’s  most  popular  target— has  had  more  than  $2.7  million 
worth  of  bras  reported  stolen,  a  more  than  80  percent  increase  over  the  previous  year.  But 
Talamo,  who  is  also  cochair  of  the  Joint  Organized  Retail  Crime  Task  Force  established  by 
the  National  Retail  Federa- 

“Limited  Brands  and  John  specifically  have  really  helped  put  organized  retail  crime 
on  the  map  over  the  last  three  or  four  years,”  says  Joseph  LaRocca,  vice  president  of 
loss  prevention  at  the  National  Retail  Federation,  a  trade  group  in  Washington,  D.C. 
“No  case  is  a  good  case.  A  case  means  that  someone  got  away  with  something.  But 
Limited  has  been  able  to  really  show  the  industry  what  good  investigative  skills  and 
good  collaboration  with  law  enforcement  can  produce.” 

Senior  Editor  Sarah  D.  Scalet  recently  spoke  to  Talamo  about  how  ORC  works,  how 
Limited  Brands  is  changing  its  strategy  to  focus  on  fencing  operations  and  victims’ 
rights,  and  why  thieves  are  so  attracted  to  Victoria’s  Secret  bras. 


tion,  is  working  to  make  ORC 
decidedly  less  profitable.  He 
does  this  both  by  leading  an 
aggressive  team  of  inves¬ 
tigators  and  by  working  to 
educate  law  enforcement, 
prosecutors  and  judges  about 
this  type  of  crime. 


IN  THIS  STORY  How 

organized  retail  crime 
works  ■  How  Limited  Brands 
organizes  its  response  team 


CSO:  How  organized  is  organized  retail  crime  these  days? 

John  Talamo:  It’s  a  very  big  business.  Every  year  the  University  of  Florida  conducts 
a  security  survey,  and  in  the  last  results,  shrink  as  a  whole  was  $37-4  billion  total. 
Thirty-three  percent  of  that  was  external  theft,  the  majority  of  which  is  organized 
retail  crime  theft.  So  ORC  conservatively  is  a  $12.3  billion  problem,  but  I  believe  that 
number  is  understated  because  it  doesn’t  include  credit  card  fraud,  counterfeiting  and 
receipt  fraud.  ORC  is  a  bigger  problem  than  auto  theft,  which  is  $7-6  billion;  burglary, 
which  is  $3.5  billion;  and  larceny,  which  is  $5.15  billion  (according  to  the  FBI’s  uni¬ 
form  crime  report  of  2004).  In  2006,  President  Bush  signed  the  first-ever  organized 
retail  crime  legislation,  H.R.  3402,  which  establishes  an  FBI  task  force  on  ORC  and 
also  the  creation  of  a  national  database.  The  mere  fact  that  we  now  have  federal  legis¬ 
lation  that  crosses  over  the  boundaries  of  state  lines  will  be  a  big  help.  But  this  [fight] 
is  just  in  its  infancy  right  now. 


What  constitutes  a  big  boosting  operation? 

In  a  normal  crew,  you’ll  have  a  leader,  who  negotiates  the  deal  with  the  fence— and 
that’s  important,  because  after  they  steal  the  product  they  need  to  be  able  to  move  it 
quickly  to  the  fence.  You’ll  also  have  someone  to  drive  the  vehicle,  which  is  usually  a 
van;  in  addition  to  being  the  getaway  car,  it’s  really  the  storage  locker.  Then  you  have 
someone  who’s  called  the  distracter,  who  will  distract  the  sales  associates.  If  the  group 
wants  to  steal  bras  from  the  front  of  the  store,  the  distracter  may  say,  “I  have  a  question 
about  your  new  fragrance,”  and  take  the  salesperson  off  to  the  fragrance  area.  They 


PHOTO  BY  iSTOCKPHOTO.COM 


February  2007  www.csoonline.com  43 


Loss  Prevention 


may  also  have  a  lookout— someone  who  watches  to  see  who’s 
coming,  and  who  may  have  a  code  for  the  group  if  they  see  some¬ 
thing.  They  may  have  a  booster,  the  person  who  actually  steals 
the  product,  and  a  mule,  who  carries  the  product  out  to  the  van. 
A  good  crew  also  has  someone  who  does  countersurveillance, 
now  that  groups  like  us,  Target,  Wal-Mart,  TJX  and  Gap  have 
our  own  ORC  departments.  Were  watching  them;  they’re  watch¬ 
ing  us.  If  they  notice  loss  prevention  professionals, 
they’ll  move  on. 

Here’s  how  it  works.  You  know  how 
people  hold  merchandise  up  in  the  air  to 
look  at  it?  When  the  booster  is  ready  to 
steal,  maybe  the  lookout  holds  up  a  top, 
so  that  when  employees  look  over,  all 
they'll  see  is  what  looks  like  a  customer 
looking  at  a  piece  of  product.  What  they 
don’t  see  is  the  booster  on  their  knees  on 
the  floor  taking  the  product  out  of  the  draw¬ 
ers  and  putting  it  into  the  booster  bag,  which 
is  usually  lined  with  aluminum  foil  or  duct  tape 
that  helps  defeat  the  [electronic  article  surveil¬ 
lance  system].  Then  you’ll  have  a  mule  who’ll 
pick  the  bag  up  from  inside  the  store  and  carry 
it  out  to  the  van.  They’ll  put  the  goods  in 
there,  and  then  they'll  repeat  the  process. 

It’s  a  repeatable  business  model— when 
something  works,  you  keep  using  it. 

They’ll  also  change  their  appearance. 

They'll  change  their  tops.  They’ll  put 
on  sunglasses  or  take  off  sunglasses. 

We’ve  seen  some  use  wigs.  You 
wouldn’t  believe  some  of  these 
pictures.  You’ll  see  someone  who 
has  her  hair  up  and  no  makeup, 
and  now  she  has  her  hair  down 
and  makeup,  and  she  looks  like 
almost  a  different  person. 


manpower  you  can  only  go  after  one  of  them. 

Our  strategy  is  based  on  data  analysis  and  intelligence.  Once 
we’ve  identified  a  location  that  has  been  frequented  by  these 
professional  boosters,  when  our  team  gets  to  the  mall,  our  ORC 
manager  will  contact  mall  security  and  say,  “We’re  going  to  be 
here  today  working  the  mall.”  They’ve  already  established  a 
relationship  with  security  and  the  police  department  in  these 
areas.  Then  they’ll  start  conducting  surveillance.  Someone  will 
be  in  the  parking  lot  looking  for  somebody  coming  back  and 


“Once  we’ve  identified 
organized  retail  crim 
going  to  be  here  toda^ 


So  you  have  to  catch  all  of 
them  in  the  van,  not  just  the 
mule  with  the  bag. 

That’s  our  goal.  We  have  one  case 
we’re  working  on  where  our  team  has 
apprehended  an  individual  in  five 
different  states.  He  has  warrants  out 
for  his  arrest  in  five  different  states. 
This  individual  will  have  two  of 
everything— two  vans,  two  boosters. 

In  Rhode  Island,  we  apprehended  his 
crew  but  only  got  one  van.  The  other 
van  got  away.  When  two  boosters  go  in 
opposite  directions,  depending  on  your 


forth  to  a  van,  dropping  product.  If  we  see  that,  we’ll  pick 
up  surveillance  of  that  person  back  to  the  mall.  Also  they’ll 
do  surveillance  of  our  stores.  We  usually  have  four  stores 
in  a  mall— Victoria’s  Secret,  Express, 
Limited,  Bath  &  Body  Works, 
sometimes  White  Barn  Candle 
Company.  Once  they  identify  a 
crew  that  starts  to  steal  from 
our  stores,  what  they  do  is 
continue  the  surveillance. 
They  don’t  apprehend  the 
mule.  The  team  leader 
will  call  our  local  police 
contact  and  say,  “OK,  we 
have  identified  a  profes¬ 
sional  crew  stealing 
from  our  stores.  We’ve 
observed  them  stealing 
the  product;  we’ve 
followed  them  out 
to  the  vehicle.  This 
is  what  the  vehicle 
looks  like,  and  this 
is  the  plate  number.” 
They’ll  continue  the 
surveillance  for  as 
long  as  the  crew  works 
the  mall. 


How  do  you  decide 
what  malls  you’re 
going  to  do  surveil¬ 
lance  at,  and  when? 

We  have  an  incident 
reporting  package,  and 
I’ve  created  an  organized 


44  www.csoonline.com  February  2007 


retail  crime  section  in  it.  In  our  company,  we  consider  any  theft 
where  $500  of  merchandise  is  stolen  an  ORC  theft.  That  gets 
called  in  and  goes  into  our  database.  We  collect  all  the  neces¬ 
sary  data.  What  day  of  the  week  was  it?  Where  did  it  happen? 
Mall,  brand,  date,  time  and  method  of  operation.  We  have  a  few 
years’  worth  of  data.  We  know  that  we  usually  don’t  experience 
any  ORC  thefts  prior  to  noon  or  1  p.m.  Usually  Mondays  and 
Tuesdays  are  very  quiet.  Wednesday  starts  to  pick  up.  It  builds 
Thursday  and  Friday,  and  then  peaks  on  Saturday. 


In  these  types  of  locations,  the  clientele  is  mainly  the  local 
population  that’s  buying  retail  product  to  use  themselves  or  give 
as  gifts.  These  are  people  who  probably  wouldn’t  pay  $48  for  a 
bra  at  Victoria’s  Secret  because  they  can’t  afford  it,  but  they’ll 
pay  half  the  price  for  it.  But  we  also  see  people  coming  in  from 
other  countries  and  buying  suitcases  full  of  product  to  take  back 
to  resell.  I  was  involved  in  a  fence  operation  where  a  woman  had 
three  suitcases  stacked  inside  each  other  and  $7,000  in  cash,  so 
she  was  planning  on  bringing  the  stuff  overseas  to  sell. 


ocation  frequented  by  professional  boosters,  our 
earn  will  contact  mall  security  and  say,  ‘We’re 

rhen  thev’ll  start  surveillance.”  -john  talamo'  vp  of  loss 

■  ■■  w  awwa  prevention,  limited  brands 


Because  the  malls  are  more  crowded? 

Yes.  When  the  mall  is  crowded,  it’s  easy  to  blend  in  and  take 
advantage  of  a  busy  store  team.  Sunday  is  also  busy,  but  it 
declines;  sometimes  Sunday  is  a  travel  day  for  the  crews.  From 
that  data  analysis,  we  know  which  stores  are  targeted  most 
frequently,  what  time  they’re  targeted. 

We  continue  to  focus  on  data  analysis,  trying  to  come  up  with 
that  elusive  predictive  model.  What  we’re  trying  to  work  at  now  is 
if  you’re  in  New  Jersey  and  someone  steals  from  Woodbridge,  I’d 
like  to  know  that  70  percent  of  the  time  they’re  going  to  Menlo 
Park.  If  we  have  ORC  staff  in  the  area,  we  can  send  them  there, 
apprehend  the  crew  and  recover  the  products  stolen  from  Wood- 
bridge.  If  we  don’t  have  any  ORC  team  members  in  the  area,  we 
could  call  the  mall  and  let  our  stores  know  to  be  on  the  lookout. 
We  have  over  3,800  stores,  and  we  only  have  30  people  on  the 
ORC  team,  so  we  have  to  be  smart  at  deploying  our  resources. 

Is  most  of  your  effort  focused  on  the  thefts  versus 
shutting  down  the  fencing  operations? 

We  spend  a  lot  of  time  on  the  fences  also.  They  all  link  together. 
One  of  the  things  we’re  experimenting  with  is,  in  the  New  York 
City  area,  we’ve  actually  created  what  we  call  a  fence  operations 
team.  But  all  the  ORC  teams  work  the  malls  and  work  the  fences. 
We  try  to  give  fences  a  priority,  because  if  we  shut  down  a  fence 
then  the  crews  have  no  one  to  sell  to. 

Can  you  describe  a  big  fencing  operation? 

There  are  three  kinds  of  fences  that  we  work.  The  first  is  fences 
that  are  open  to  the  public.  These  are  street-front  stores,  and 
anyone  could  walk  inside.  Second,  there  are  fences  that  are  com¬ 
pletely  underground,  where  you’ll  need  either  an  invitation  or  a 
referral  to  get  in.  They’ll  be  in  the  basement  of  someone’s  home, 
or  we’ve  seen  many  times  the  whole  home  is  a  fence. 

Would  a  small  shop  owner  go  to  one  of  these  places, 
or  is  the  buyer  actually  going  to  use  the  product? 


People  must  know  they’re  buying  something  that’s 
been  stolen. 

I  would  think  so.  Many  times  these  fence  operators  are  very 
popular  in  the  community,  because  they  provide  a  service.  Even 
though  buyers  may  think  it’s  stolen,  they’re  not  going  to  turn  in 
someone  who’s  providing  a  service  in  their  community. 

The  third  kind  of  fencing  is  e-fencing  on  the  Internet.  If  you 
think  about  the  old  days,  if  I  was  a  crook  selling  stolen  jeans  out 
of  the  back  of  my  car,  maybe  I  could  sell  10,  20,  30  pairs  of  jeans 
a  week.  But  if  I  put  it  on  eBay,  I  have  access  to  a  global  consumer. 
The  sky  is  the  limit.  Maybe  instead  of  selling  30  pairs  of  jeans  a 
week  I’m  selling  300.  Well,  where  am  I  getting  those  jeans?  It’s 
a  supply  and  demand  issue.  The  more  I  can  sell,  the  more  they’ll 
steal.  [For  more  on  e-fencing,  see  “Auction  Blocks,”  www.csoonline 
.com/read/0801 05.  ] 

The  fences  are  getting  smarter.  When  I  first  started  doing 
fence  investigations,  in  the  early  1990s,  fences  would  keep  all 
their  product  in  their  fence  location.  Then,  your  only  risk  was 
getting  burglarized  or  held  up  by  a  rival  gang  or  business;  they 
never  had  to  worry  about  being  arrested.  Now  with  all  the  atten¬ 
tion  around  ORC,  they’re  dividing  up  their  inventory.  Big  fences 
have  places  where  they  do  storage  and  processing. 

We  just  shut  down  a  big  one  in  Queens,  N.Y.  It  was  called 
Corona  Fashions,  and  it  was  open  to  the  public  in  an  area  where 
there’s  a  lot  of  fence  activity.  This  particular  place  had  a  couple 
thousand  units  from  all  our  brands.  They  had  Express  jeans, 
Victoria’s  Secret  bras  and  panties,  and  some  Victoria’s  Secret 
fragrance.  We  started  to  do  surveillance  of  the  location.  We 
saw  the  owner  of  the  place  open  in  the  morning,  and  at  the  end 
of  the  day  we  followed  him  to  another  location.  At  this  other 
location,  late  in  the  evening  booster  crews  would  drive  up  with 
garbage  bags  filled  with  product.  The  store  owner  would  process 
the  product  and  separate  it  by  brand,  and  then  bring  it  over  to 
the  store  as  needed.  We  worked  in  close  partnership  with  the 
New  York  Police  Department’s  organized  theft  task  force  on 
this  investigation,  and  when  search  warrants  were  obtained  we 


PHOTO  BY  STEPHEN  WEBSTER 


February  2007  www.csoonline.com  45 


LEGISLATION  SNAPSHOT 

Recent  measures  related  to  organized  retail  crime 


EFFECTIVE 

DESCRIPTION 

New  Jersey  S.  273 

Aug.  2,  2006 

Criminalizes  organized  retail  theft,  defined  as  two  or  more  persons  “who  engage  in  the 
conduct  of  or  are  associated  for  the  purpose  of  effectuating  the  transfer  or  sale  of  shoplifted 
merchandise.”  The  law  establishes  lower  value  thresholds  for  prosecution  in  cases  where 
organized  retail  theft  is  involved.  For  instance,  for  shoplifting  to  be  considered  a  crime  of 
the  second  degree,  the  full  retail  value  of  the  merchandise  must  be  $75,000  or  more,  but  if 
the  offense  is  committed  with  an  organized  retail  theft  enterprise,  the  full  retail  value  of  the 
merchandise  need  be  only  $1,000  or  more. 

Colorado  H.B.  06-1380 

July  1,  2006 

Creates  a  temporary  interagency  task  force  to  research  organized  retail  theft  and  make 
recommendations  regarding  law  enforcement  and  education  about  retail  theft.  The  law  also 
makes  it  a  misdemeanor  to  sell  certain  items— including  infant  formula,  batteries  and  razor  , 

blades— at  a  flea  market  without  proof  of  ownership. 

Washington  State 

H.B.  2704 

June  7,  2006 

Defines  the  circumstances  in  which  someone  would  be  guilty  of  organized  retail  theft,  with  the 
lowest  threshold  being  theft  of  property  with  a  value  of  at  least  $250  from  a  mercantile  estab¬ 
lishment  with  an  accomplice.  The  law  also  allows  prosecutors  to  aggregate  thefts  committed  by 
the  same  person  over  180  days,  and  to  prosecute  them  in  any  county  in  which  a  theft  occurred. 

U.S.  H.R.  3402,  the 

Violence  Against  Women 
and  DoJ  Reauthorization 
Act  of  2005 

Jan.  5,  2006 

As  part  of  the  Violence  Against  Women  and  Department  of  Justice  Reauthorization  Act  of 

2005,  appropriates  $5  million  annually  for  four  years  for  fighting  organized  retail  theft.  The 
law  establishes  an  FBI  task  force  to  fight  organized  retail  theft  as  well  as  a  national  database 
to  allow  law  enforcement  officials  and  retailers  to  share  information  about  this  type  of  crime. 

were  able  to  see  the  inner  workings  of  the  facility.  That  place 
had  about  $1  million  worth  of  product  when  it  was  raided,  of  all 
different  brands. 

If  you  think  about  it,  what  makes  all  this  worthwhile?  Thieves 
have  turned  retail  theft  into  a  lucrative  business.  We  have  intel¬ 
ligence  from  a  crew  leader  turned  informant,  and  he  says  that 
his  crew— he  had  a  big  crew,  and  they  were  good— would  target 
as  many  as  seven  malls  in  a  day.  They’d  steal  about  $25,000  per 
mall.  So  you  figure  that’s  $175,000  in  a  day,  and  they’d  unload  it 
for  about  25  percent  of  ticketed  value.  So  that’s  $43,750.  Not  bad 
for  a  day’s  worth  of  shopping. 

What  percentage  do  you  think  is  going  through 
online  channels  like  eBay  or  Craigslist? 

It’s  escalating. 

Does  that  mean  other  areas  are  decreasing? 

No.  The  whole  phenomenon  is  just  growing.  If  you  type  in  Victo¬ 
ria’s  Secret  into  eBay,  you’ll  probably  get  about  22,000  auctions 
on  a  daily  basis.  I’m  not  saying  all  that  merchandise  is  stolen,  but 
you  know  what,  if  you’re  selling  30  bras  in  different  sizes  at  half 
the  price,  it’s  highly  suspicious.  It’s  not  totally  conclusive  from  a 
legal  perspective.  [But]  it’s  like,  why  would  I  sell  a  $100  Express 
gift  card  on  eBay  for  $70  [unless  it  were  obtained  illegally]?  It 
would  be  like  putting  a  $100  bill  on  eBay  and  taking  $70  back. 

I  just  added  a  cybercrimes  unit  to  my  ORC  team,  two  people  to 
focus  just  on  e-fencing  and  Internet  crimes.  We’ve  had  $100,000 
cases  where  people  are  selling  stuff  online.  These  booster  crews 
are  stealing  the  products,  they’re  bringing  them  to  these  online 
fences,  and  some  of  them  have  brick-and-mortar  locations  too. 

Is  most  of  the  theft  from  the  stores  as  opposed  to 
diVv  rting  a  whole  truckload  of  goods? 


Most  of  it  is  from  the  stores,  although  we  do  have  cargo  theft.  We 
have  one  case  that  we’re  working  now  involving  a  fence  that  had 
138  cartons  of  our  Bath  &  Body  Works  lotions,  and  that  came 
from  cargo. 

Do  you  think  these  crime  rings  are  connected  to  an 
old-style  mob,  or  are  they  a  new  thing? 

These  are  more  nontraditional  organized  crime  groups.  The  old 
organized  crime  unit  had  a  leader  and  a  hierarchy  under  him. 

We  don’t  see  that  here.  These  guys  are  very  organized,  but  they 
operate  more  like  a  terrorist  cell.  If  we  apprehend  a  leader  and  a 
crew,  it  doesn’t  disrupt  the  operation  of  other  leaders  and  their 
crews. 

You’ve  indicated  that  you’re  going  to  be  doing  more 
in  the  way  of  exercising  your  rights  as  victims. 

How  are  you  changing  your  strategy? 

We  have  a  two-pronged  legal  strategy,  criminal  and  civil.  On 
the  criminal  side,  we  want  to  ensure  that  when  we  apprehend 
these  professional  criminals  they  receive  the  maximum  penalty, 
and  we  put  them  out  of  business  for  as  long  as  we  can.  On  the 
civil  side,  if  they  have  any  assets,  we’re  going  to  sue  them  for  any 
damages  they  cause  to  our  organization. 

We’re  also  weighing  in  at  certain  key  points  in  the  criminal 
justice  process.  For  example,  we  want  to  monitor  and  attend  bail 
hearings  to  influence  the  bail  amounts.  Lots  of  judges  and  pros¬ 
ecutors  may  not  think  that  this  person  is  part  of  a  larger  orga¬ 
nized  crime  group.  They  may  just  think  they’re  a  petty  shoplifter. 
They  set  the  bail  way  too  low,  and  then  [the  suspect]  leaves. 

Like  this  guy  we’re  chasing  around  the  country  now— he  keeps 
making  his  bail.  There  have  been  cases  where  we’ve  been  able  to 
influence  those  decisions,  and  they’ve  made  the  bail  really  high. 
Then  these  guys  sit  in  custody  until  their  trial.  It  has  a  deterrent 


46  www.csoonline.com  February  2007 


Loss  Prevention 


value.  And  you  know  what?  If  they’re  sitting  in  custody  or  they’re 
incarcerated,  they  can’t  be  stealing  from  our  stores. 

We  also  attend  arraignment,  sentencing  and  restitution  hear¬ 
ings.  In  one  case,  at  a  sentencing  hearing  in  Crescent  City,  Calif., 
the  defendant  was  convicted  of  a  felony  and  received  a  one-year 
sentence,  and  was  also  ordered  to  pay  $132,000  in  restitution, 
which  is  unheard  of  in  a  retail  case.  This  was  someone  who  was 
actually  a  booster  and  e-fencing  ring.  They  were  boosting  the 
product  themselves  and  selling  it  themselves  online  at  eBay. 

One  of  the  good  things  about  Internet  fencing  is  that  it  leaves 
an  audit  trail;  that  $132,000  was  what  they  sold.  At  our  retail, 
it  was  probably  a  quarter  of  a  million  dollar  case.  We  also  meet 
with  prosecutors  and  try  to  make  sure  [professional  criminals] 
do  get  prosecuted  to  the  fullest  extent  of 
the  law.  Our  people  will  testify  and  fill  out 
impact  statements.  What  we  try  to  do  is  put 
a  human  face  on  a  corporate  victim. 

There’s  also  a  theory  that  some  of  these 
ORC  groups  have  a  link  to  terrorism. 

They’re  not  the  terrorists  committing  the 
terrorist  acts,  but  they’re  fund-raisers  for 
terrorist  groups.  I  attended  a  counterterror¬ 
ism  conference  a  few  weeks  ago,  and  they 
had  four  or  five  clear  examples  of  where 
this  was  the  case.  A  lot  of  the  groups  that 
we  investigate  don’t  fit  that  criteria,  but 
there  are  some  that  might. 

What  did  you  think  of  Wal-Mart’s 
announcement  last  summer  that  it 
won’t  prosecute  people  who  steal 
less  than  $25  of  merchandise? 

I  don’t  think  there’s  anything  wrong  with 
the  announcement  or  the  policy.  Every 
retailer  has  a  similar  policy.  It  only  becomes 
newsworthy  because  it’s  Wal-Mart,  the 
largest  retailer  in  the  world.  We  work  in 
partnership  with  Wal-Mart;  they  have  an 
outstanding  program. 

Zt  struck  me  as  one  of  those  things  where  it’s  not 
a  bad  idea  to  have  the  policy,  but  you  don’t  really 
want  to  publicize  it. 

No,  I  don’t  think  so.  What  it  tells  me  is  they’re  focusing  their 
efforts  on  organized  retail  crime,  which  is  a  greater  problem 
than  someone  stealing  a  pack  of  gum. 

Victoria’s  Secret  bras  are  a  big  target,  with  more 
than  $2  million  of  them  reported  stolen  last  year. 
What  is  it  about  Victoria’s  Secret  bras? 

It’s  a  few  things,  and  this  is  not  an  infomercial  or  a  sales  pitch. 
But  clearly  Victoria’s  Secret  is  the  most  dominant  lingerie  brand 


in  the  world.  The  second  part  is,  the  bras  are  easy  to  steal.  You 
could  fit  a  lot  of  bras  at  $48  apiece  into  a  shopping  bag,  more 
than  jeans  or  anything  else. 

How  much  do  you  change  your  strategy  around  new 
product  lines  being  introduced  in  the  stores? 

The  greatest  risk  we  have  is  on  a  fragrance  launch.  Every  time 
we  have  a  fragrance  launch,  we  have  a  full  ORC  launch  strategy 
behind  it.  We  track  the  product  from  the  moment  it’s  produced, 
to  the  distribution  facilities,  to  our  stores.  Our  field  people  will 
do  inspections  of  the  product  as  it  comes  in,  do  carton  and  piece 
counts  to  make  sure  it  all  gets  there.  Once  the  product  starts  to 
be  produced  and  reaches  its  finished-goods  stage,  we  start  to 

monitor  the  Internet  for  sales  of  it.  Every 
launch,  we  do  find  the  product  for  sale 
before  it’s  available  to  our  customers. 

On  our  last  launch,  we  were  able  to  make 
an  arrest  of  a  guy  who  wras  fencing  the 
fragrance  online. 

What  kind  of  ROI  is  your  manage¬ 
ment  looking  for?  Do  they  expect 
you  to  recover  as  much  value  of 
goods  as  you’re  spending,  or  do 
they  see  it  in  the  bigger  picture? 
They  see  it  in  the  bigger  picture.  To  figure 
out  our  ROI,  we  look  at  it  a  few  w  avs.  One, 
how  much  product  have  we  recovered?  Last 
year  it  was  about  $1.5  million  retail  value. 
We  also  look  at  wrhat  we  call— and  this  is  a 
new  method  to  ORC,  which  is  a  relatively 
new  discipline  within  the  loss  prevention 
function— our  out-of-business  value. 

We’ve  assessed  a  value  for  every  30  days 
one  of  these  professional  criminals  spends 
incarcerated.  I  would  say  in  the  last  18 
months,  our  ORC  teams’  investigations 
have  resulted  in  these  criminals  spending 
618  months  incarcerated,  winch  equals 
51.5  years,  which  is  worth  to  us  almost 
$2  million  in  out-of-business  value.  You  add  that  to  the 
$1.5  million  of  Limited  Brands  products,  and  now  you’re 
looking  at  $3.5  million  ROI. 

The  other  piece  of  it  is  the  soft  side  of  the  ROI,  but  we  still 
have  to  figure  out  a  way  of  measuring  this.  If  you  wrant  to  come 
into  Victoria’s  Secret,  but  someone  came  through— and  we  just 
had  this  yesterday— and  stole  $5,000  worth  of  merchandise, 
and  now  it’s  not  available  for  sale,  as  a  customer,  what  does  that 
do  to  the  experience?  Do  you  buy  something  else,  or  do  you  go 
somewhere  else?  ■ 


Senior  Editor  Sarah  D.  Scalet  can  be  reached  at  sscalet@cxo.com. 


Defining 
Organized 
Retail  Theft 

The  federal  law  signed 
by  President  Bush  in 
2006  defines  organized 
retail  theft  as 


(1) 


.the  violation  of  a  state  prohibi- 
ftion  on  retail  merchandise 
theft  of  shoplifting,  if  the  violation  con¬ 
sists  of  the  theft  of  quantities  of  items 
that  would  not  normally  be  purchased 
for  personal  use  or  consumption  and  for 
the  purpose  of  reselling  the  items  or  for 
reentering  the  items  into  commerce; 

ithe  receipt,  possession, 
'concealment,  bartering,  sale, 
transport  or  disposal  of  any  property 
that  is  known  or  should  be  known 
to  have  been  taken  in  violation  of 
paragraph  (1);  or 


(2) 


(3): 


i  the  coordination,  organization 
for  recruitment  of  persons  to 
ke  the  conduct  described  in 
paragraph  (1)  or  (2). 


February  2007  www.csoonline.com  47 


How  to  Plan,  Deliver,  Measure  and  Communicate 


The  Broadmoor, 

Colorado  Springs,  Colorado 
March  18  -  20,  2007 

Learn  from  the  best  in  the  business  about  the 
process  of  building  the  business  case  for  security 


CSO  Perspectives  offers: 

•  security  executives  unparalleled 
access  to  many  of  the  world’s 
leading  experts  in  security  and 
risk  management 

•  the  best  security  knowledge 
available  to  help  you  manage 
your  own  enterprise  securely 


Don’t  miss  the  Critical  Incident  Table  Top  Exercise 
-  a  dynamic  and  highly-interactive  pre-conference 
session  based  on  a  critical  incident.  This 
“tabletop  exercise”,  facilitated  by  security  experts 
from  Michigan  State  University,  involves 
role-playing  interaction  with  public  and  private 
sector  participants.  This  exercise  will  expose 
participants  to  the  various  dynamics  -  and  widely 
different  points  of  reference  -  that  occur  during 
the  management  of  a  critical  incident.  Being  held 
Sunday,  March  18th. 


For  more  information 
and  to  register  visit: 


Platinum 

Sponsor: 


www.csoonline.com/csop_2007 


or  call  800-366-0246 


'i 


■ 

1 1 


Opening  Keynote:  Security  in  an  Uncertain  World 

L.  Paul  Bremer 
Ambassador 

Author  of  My  Year  in  Iraq:  The  Struggle  to  Build  a  Future  of  Hope 


Closing  Keynote:  Building  A  Great  Security  Organization 

William  Wipprecht 

Executive  Vice  President  and  CSO 

Wells  Fargo  &  Co. 


Speakers  Include: 

Bob  Bragdon,  Publisher,  CSO  magazine 

Brad  Brekke,  Vice  President  -  Assets  Protection,  Target 

David  Burrill,  Director,  BurrillGreen 

Mark  Connelly,  Vice  President  and  CISO,  Sun  Microsystems 

Francis  D’Addario,  Vice  President,  Starbucks  Coffee  Company 

Erik  Heidt,  Lead  Technology  Architect,  Information  Security,  Fifth  Third  Bank 

Radford  Jones,  Academic  Specialist,  School  of  Criminal  Justice,  Michigan  State  University 

Elizabeth  King,  Vice  President,  Info  Management  Services,  Starbucks  Coffee  Company 

Darren  Lacey,  CISO  and  Director  of  IT  Compliance,  John’s  Hopkins 

Bruce  Larson,  Director,  Security,  American  Water  Works,  Inc. 

Dan  Lohrmann,  CISO,  State  of  Michigan 

John  Martinicky,  Director,  Corporate  Security,  International  Truck  and  Engine 
Lynn  Mattice,  Vice  President  &  CSO,  Boston  Scientific 
David  Meunier,  Vice  President  and  CISO,  CUNA  Mutual  Group 
Audrey  Pantas,  CISO,  Xerox  Corporation 

Bhavesh  Patel,  Director,  Information  Security,  Genzyme  Corporation 
William  Ramsey,  Director,  Security,  McCormick  &  Company,  Inc. 

Derek  Slater,  Editor  in  Chief,  CSO  magazine 
Francis  Taylor,  CSO,  The  General  Electric  Company 
Dennis  Treece,  Security  Chief,  Massport 

Brit  Weber,  Specialist,  School  of  Criminal  Justice,  Michigan  State  University 


CSO  Perspectives  -  The  Business  Case  for  Security 
How  to  Plan,  Deliver,  Measure  and  Communicate 

March  18  -  20,  2007 
The  Broadmoor 
Colorado  Springs,  Colorado 
www.csoonline.com/csop_2007 


The  Resource  for 
Security  Executives 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and  Services 

CSO  Executive  Council 

CSO  Sales  Offices 

Managing  Director 

Bob  Hayes 

President  and  CEO 

VP,  Research  and  Product  Development 

Michael  Friedenberg  •  508  935-4310 

Kathleen  Kotwica 

Publisher 

Director,  IT  and  Product  Technology 

Bob  Bragdon  •  508  935-4443 

Greg  Kane 

Senior  Ad  Sales  Associate 

Operations  and  Production  Specialist 

Jayne  Marcucella 

Christine  Hopkins  •  508  988-7836 

Member  Services  Manager 

Eastern  Territory 

Elizabeth  Lancaster 

East  Coast  Regional  Manager 

Production 

Roz  Burke  •  508  935-4163 

VP/Manufacturing 

Western  Territory 

Senior  Regional  Sales  Manager 

Chris  Cuoco 

Production  Manager 

Heidi  Broadley 

Ai  Collins  *415  975-2686 

Integrated  Media  and  Online  Sales 

Associate  Production  Manager 

Lisa  M.  Stevenson 

VP,  Integrated  Media  and  Online  Sales 

Executive  Programs 

Jim  Alla  •  508  988-6763 

VP,  Executive  Programs 

Online  Regional  Sales  Managers 

Tina  Dudarevitch  •  718  279-2396 

Ellen  Daly 

Director,  Business  Development 

John  Vulopas 

Lori  Kehoe  •  415  978-3329 

Director,  Event  Marketing 

Online  District  Sales  Manager 

Mary  Conroy 

Sara  Mascall  •  415  978-3385 

Director,  Event  Operations 

Manager,  Online  Account  Services 

Danielle  Tetreault  •  508  988-7969 

Deb  Begreen 

Conference  Producer 

Judith  Kittredge 

Online  Account  Services  Specialist 

Event  Planner 

Valerie  Sumner  •  508  988-7877 

Sarah  Reagan 

Online  Ad  Sales  Associate 

Registration  Specialist 

Cress  O'Brien 

Devon  Slattery  •  415  975-2687 

Client  Services  Specialist 

Online  Advertising  Specialist 

Erica  Foster 

Sales  Associate 

Irina  Gabechiia  •  508  935-4414 

Nicole  Blackburn  •  508  935-4154 

Online  Account  Services  Coordinator 

Marketing 

Hayley  Nickerson  •  508  988-7819 

Sr.  Director,  Marketing  Communications 

Sue  Yanovitch 

Custom  Solutions  Group 

Marketing  Communications  Specialist 

Vice  President 

Matt  Avery  •  508  935-4796 

Lynn  Holmlund 

Circulation 

Senior  VP/Circulation 

Director  of  Sales 

Mary  Gregory  •  508  988-6765 

Carol  A.  Spach 

Subscription  Services  Supervisor 

Tina  Pescaro 

Executive  Editor 

List  Services 

Contact  Paul  Capone  of  IDG  List  Services  at 

Managing  Editor 

Jim  Malone 

Senior  Project  Manager 

508  370-0865  or  pcapone@idglist.com. 

Reprint  Services 

For  article  reprints  (100  quantity  or  more), 
please  contact  Jennifer  Eclipse 

Amy  Greenleaf 

at  PARS  International  at  212  221-9595,  ext. 

Project  Managers 

237,  or  e-mail  jeclipse@parsintl.com. 

For  further  sales  information,  visit 

Karen  Capland,  Amy  Freeman 

www.csoonline.com/reprints/index.html. 

CSO  Contact  Information 

Editorial/Advertising/ 

Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published  monthly 
by  CXO  Media  Inc.,  492  Old  Connecticut 
Path,  P,0.  Box  9208,  Framingham,  MA 
01701-9208.  Periodicals  Postage  Rate  at 
Framingham,  MA  01701,  and  at  additional 
mailing  offices.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632, 

Windsor,  ON  N9A  7C9. 

Permissions 

Copyright  2007  by  CXO  Media  Inc.  All 
rights  reserved.  Reproduction  of  material 
appearing  in  CSO  is  forbidden  without 
written  permission.  Send  requests  to 
Yadira  Pizarro,  PARS  International, 

212  221-9595,  ext.  231,  or  e-mail 
yadira@parsintl.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or 
personal  use  or  the  internal  or  personal  use 
of  specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center,  pro¬ 
vided  that  the  base  fee  of  $3  per  copy  of  the 
article,  plus  $.50  per  page,  is  paid  directly 
to  Copyright  Clearance  Center,  27  Congress 
Street,  Salem,  MA  01970.  Please  specify: 
ISSN  1540-904x.  Permission  to  photocopy 
does  not  extend  to  contributed  articles 
followed  by  this  symbol: 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065:  866  354-1125. 

CSO  is  free  to  qualified  information 
executives,  To  all  others  the  one-year  basic 
rate  is  $70  for  the  United  States  and  Canada, 
$95  to  foreign  countries  (payable  in  U.S. 
funds  only).  The  single  copy  price  is  $9  to 
the  U.S,  and  Canada  and  $15  International. 
Please  allow  four  to  six  weeks  for  new 
subscriptions  to  begin. 

Change  of  Address 

Go  to  www.omeda.com/custsrv/cso  and 
follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to: 

CSO,  P.O.  Box  3482,  Northbrook,  IL  60065. 

Printed  in  the  USA. 


Index  of  Companies  and  Advertisers 

Company  Index 

Amazon.com  Inc . 22 


American  Electric  Power  . 26 

Benetech  Initiative,  The . 13 

Boeing . 13 

Bonneville  Power  Administration . 26 

BorderWare  Technologies  Inc . 13 

BT  Radianz . 38 

Carnegie  Mellon  University  . 38 

Cryptography  Research  Inc . 38 

Digg  Inc . 6 

DTE  Energy  Co . 6,  26 

Edison  Electric  Institute . 26 

EDS  Corp . 8 

Facebook  .  6 

Google  Inc . 6, 13 

Harvard  University . 22 

Infoblox  Inc . 13,  38 

Institute  of  Scrap  Recycling  Industries  ...  26 

lOActive  Inc . 38 

Limited  Brands . 42 

London  Metals  Exchange  Ltd.,  The . 26 

Long  Island  Business  News . 26 

Measurement  Factory,  The . 13,  38 

MediaNews  Group  Inc . 26 

Microsoft  Corp . 20 

MySpace  . 6 

National  Crime  Prevention  Council  . 26 

National  Institute  on  Drug  Abuse,  The  ...  26 

National  Retail  Federation  . 42 

National  Security  Archive . 13 

New  York  Times  Co.,  The . 13 

Ponemon  Institute  LLC . 8 

Privacy  Rights  Clearinghouse  . 13 

Proskauer  Rose  LLP . 8 

Reddit.com . 6 

Scotiabank . 26 

Solomon  Metals  Corp . 26 

Sony  Corp . 13 

Streamload  Inc . 13 

Symantec  Corp . 13 

U.S.  Department  of  Homeland  Security  .  .  38 

Village  Voice  Media  . 26 

WestLB  AG . 6 

YouTube  Inc . 6 

Advertiser  index 

Authenex  Inc . 9 

BigFix  Inc . 7 

CA  . C4 

CXO  Media  Inc . 11.  37,  48,  51 

Fortify  Software . C3 

Gemalto . 19 

HID  Corp . 25 

IBM  Corp . 33 

ISACA . 12 

Juniper  Networks  Inc . 3 

Novell  Inc . C2 

Oracle  Corp . 15 

Ounce  Labs  Inc . 5 

LURHQ/SecureWorks . 21 

Sharp  Corp . 23 

Thales  eSecurity  Inc . 35 

TSFACTORY  . 40 

Tyco  Fire  &  Security . 17 

Verdasys . 10a 


50  www.csoonline.com  February  2007 


www.cio.com/conferences 


uy.  f  yv  s  .  .  1  •  ‘"w  - 

!  •  , 


*  Y  :  ■  ■>  V.  5 


The  CIO 
Pocket  MBA 

April  23-27, 2007 


t  :.y  xyt 


i  ig 

f  * 


IS  11 


Get  the  CIO  Pocket  MBA  Advantage 


Register  now  as  space  is  limited! 

Management.bu.edu./exec/elc/ciopocket 

Or  contact  us  directly  at: 

Phone:617-353-4248 
Email:  elc@management.bu.edu 

The  early  registration  discount  rate  for  this  program  is  $4,245 
if  you  register  before  March  23rd.  After  March  23rd  the 
registration  rate  for  this  course  is  $4,995. 


Boston  University's  Executive  Leadership  Center 
Boston  University  School  of  Management 

For  complete  program  details  visit 
management.bu.edu/exec/elc/ciopocket 

Programs 


A  Commitment  to  Excellence 
A  New  Era  In  Collaboration 
World-Class  Education  With  Real  World  Application 


Sessions  Presented  B| 

Boston  University  Scholars: 

catraman 


John  C.  Henderson  t 

and  other  distinguished  faculty 

I 

\  mm  ■■  j 

Presented  by:  / 


CIO 


BOSTON 


UNIVERSITY 


Business 

Technology 

Leadership 


■  •■'■■A  ■  '  s 


Ik 

W  (fr  ||  | 

y  t 

fTj 

J9  v  “  BhM  1 

[  CP 

71*  I  if  tj_B 

P-^-l  it.lL 

fr 

■ft 

f^K  - ' 

ftigi  Jg B§ 

I  \ 

f  ik  %  ; J 

j if  JMJI 

i 

MT  j  v 

m  ;  g'Mk 

4 

SSIIfc  m  *  mM  i 

lj§( 

• 

■f  P1  -jm 

1.  According  to  crowd  dynamics  expert  Dr. 
Keith  G.  Still,  what  is  the  leading  cause  of 
death  in  crowding  incidents  such  as  rushes, 
crushes  or  stampedes? 

a.  Crushing 

b.  Head  injuries 

c.  Asphyxiation 

d.  Internal  injuries 

2.  In  an  April  2001  crowd  crush  at  a  South 
African  football  match  that  killed  at  least 
43,  about  how  many  people  were  pushing 
their  way  into  Ellis  Park  Stadium,  capacity 
68,000? 

a.  70,000  b.  80,000 

c.  90,000  d.  120,000 

3.  According  to  reports,  what  was  a 
likely  cause  of  a  stampede  that  killed  six 
children  in  a  stairwell  at  a  school  in  China 
in  November  2006? 

a.  One  child  bending  over  to  tie  a 
shoelace  on  the  stairs 

b.  Children  lighting  firecrackers  that 
startled  the  crowd 

c.  A  locked  door  at  the  bottom  of  the 
stairs  preventing  kids  from  getting  out 

d.  Kids  rushing  because  they  were 
excited  for  the  last  day  of  school 


4.  Rank  the  following  by  the  average 
amount  of  area  they  take  up  in  a  standing 
position,  from  most  area  to  least. 

a.  Japanese  males 

b.  British  males 

c.  Swiss  females 

d.  Polish  males 

e.  French  females 

5.  True  or  False:  Braess’s  paradox  can  be 
summarized  as  "The  fewer  people  entering 
a  space,  the  more  routes  they’ll  take  to  get 
there.” 

6.  According  to  Dr.  Still,  how  long  can  a 
space  endure  high  density  (four  people 
per  square  meter)  before  it  should  be 
considered  a  safety  concern? 

a.  30  seconds 

b.  6  minutes 

c.  20  minutes 

d.  1  hour 

7.  About  how  many  liters  of  air  does  a 
crowd  of  80,000  breathe  in  every  second? 

a.  500  b.  2,500 

c.  7,700  d.  9,300 


8.  True  or  False:  You  can  anticipate 
distress  in  a  crowd  by  a  rising  pitch  of  the 
collective  noise  that  comes  from  its  mem¬ 
bers,  a  phenomenon  called  “hive  noise.” 

9.  Which  of  the  following  is  a  term  for  fear 
of  crowds? 

a.  Demophobia 

b.  Agoraphobia 

c.  Enochlophobia 

d.  All  of  the  above 

10.  How  many  people  could  convene 
comfortably  in  a  150  square  meter  kitchen, 
during  a  party,  according  to  licensing 
authorities? 

a.  100  b.  75  c.  50  d.  25 

Bonus  question:  According  to  a  poem  by 
Ernest  Lawrence  Thayer,  what  was  it  “no 
stranger  in  the  crowd  could  doubt”? 


How’d  You  Do? 


1-3  CORRECT:  PLEASE  DISPERSE  4-8  CORRECT:  LINE  FORMS  TO  THE  LEFT 
9-11  CORRECT:  V.I.P.s  ENTER  TO  THE  RIGHT 


..IV9  3H1  XV  A3SV3  SVMi...  :N0IXS3nt>  snNoa  TaaaHx  Aa 
SE1313IAI  3avn0s  1V101  3HX  30IAI0  00A  dN3WW003M  S3I J-IMOHinv) 
0  '01  :a  '6  :3fiai  • 8  :a  Y  -a  '9  CN0IAS3DN03  S3SV3H3NI  s3xnoa 
30  33IOHO  0NISV3M0NI.  SV  03ZiaVIAIWnS  38  NV3  XOaVdVd 
S.SS3\/H8  '3S3V3  '9  •  V  'a  '3  '3  'a  V  ‘V  'E  :q  Z  -3  I  :S83M$NV 


52  www.csoonline.com  February  2007 


PHOTO  BY  ADEEL  HALIM/REUTERS 


Advertisement 


SECURITY 


HACKISTAN 


Gross  national  product:  From  legal 
activities.  $5MM.  From  illegal  activities. 
S167  Billion. 

Per  capita  income:  99%  live  on  less 
than  $  10/week;  1%  cavort  like 
Donald  Trump 

Main  industries:  Key  logging,  yak  jerky 
production,  phishing 

Counterfeit  ATM  cards  per  capita:  17  3 

Chief  exports:  V1a@GRAand  Ciali  s 

National  bird:  Roasted  vulture 

National  anthem:  “I  Sing  of  Proud 
Hackistan,  Land  of  My  Mother's 
Facial  Hair" 


©  2007  Fortify  Software  Inc 


Hackistan  leader  shakes 
confidence  of  I.T.  world. 

Conventional firewalls  unable  to  withstand  expected  onslaught. 


The  conclusions  of  the  Hackistan  Study 
Group  (HSG)  offer  an  alarming  assess¬ 
ment  of  the  hacking  threats  posed  by 
this  rogue  nation. 

Hackistan  has  toyed  with  security  profes¬ 
sionals  ever  since  a  state-sponsored  team  of 
digital  terrorists  hacked  into  the  FAA  database 
and  put  Harry  Truman  on  a  no-fly  list.  But  the 
situation  is  worsening,  as  the  report  cites  “an 
alarming  investment  in  Hackistan’s  elite  Bot 
Army.”  It  noted  that  “the  growing  sophistication 
of  their  logic  bombs,  Trojans  and  SQL  injection 
techniques  is  gravely  disturbing.” 

Many  are  banking  on  California-based 
Fortify  Software,  a  leader  in  software  security,  to 
neutralize  these  threats.  Commenting  on  Fortify’s 
groundbreaking  approach,  the  report  said  that 
“protecting  applications  at  the  code  level  is 
increasingly  being  viewed  as  the  only  viable  path 
to  creating  confidence  in  a  very  dangerous  world.” 
Contacted  at  Fortify’s  global  headquarters, 


John  M.  Jack,  the  company’s  CEO,  was 
undaunted  by  Hackistan’s  bluster, 
commenting  that  “true,  for  the  rest  of 
the  security  industry  they  are  a  devas¬ 
tating  threat.  For  us,  they’re  amateurs 
who  couldn’t  break  into  my  daughter’s 
Kevin  Federline  lunch  box.”  He  added 


“We  are  able  to  identify  and  fix  vulnerabilities 
throughout  the  entire  development  process.  We 
anticipate  that  frustrated  hackers,  hungry  and 
broke,  will  have  to  move  back  in  with  their 
parents  in  record  numbers.” 

No  Hackistan  official  was  available  for  com¬ 
ment,  but  a  blog  post  that  is  believed  to  come 
from  a  senior  Hackistan  official  (or  even 
Lifetime  Despot  Zorkul  himself)  mocked  the 
security  efforts  of  government  and  industry, 
saying  that  “the  chances  of  the  world  getting 
serious  about  code  security  are  about  as  likely  as 
John  Jack  waking  up  with  a  full  head  of  hair." 

“The  study  group  warned  against 
pro-Hackistan  propaganda  that  appears  on 
web  sites  like  www.discoverhachistan.com.” 


CEO  Jack  fired  back:  “I  have  ultimate 
confidence  that  our  products  Fortify  SCA, 
Fortify  Tracer  and  Fortify  Defender  will  block 
Hackistan’s  nefarious  plans.  Zorkul’s  desperation 
is  also  apparent;  he  has  chosen  to  attack  me  on 
the  follicle  level  because  they  are  powerless  to 
reach  us  on  the  code  level.” 


Leading  the  fight  against 
Hackistan  is  an  innovative 
high-tech  company  called  Fortify 
Software.  The  company  said  it  will 
not  rest  until  Hackistan  is  turned 
into  a  Club  Med  vacation  spot. 


□RTIFY’ 


SOFTWARE 


REPRINTED  FROM  GLOBAL  SECURITY  UPDATE,  JANUARY  2007  •  JOIN  THE  FIGHT  AGAINST  HACKISTAN  •  GO  TO  WWW.FORTIFYSOFTWARE.COM. 


Innovative  IT 
helps  illycaffe 
keep  the  coffee 
flowing  to  over 

130  countries. 


iUo 


Simplified  IT  management:  the  sweet  smell  of  success. 

As  illycaffe's  sales  grew,  so  did  its  IT  environment—  but  not  its  IT  budget.  CA 
software  solutions  enabled  illycaffe  to  accommodate  this  growth  by  unifying  the 
assets  it  already  had.  Automated  processes  boost  productivity  while  managing 
costs.  Operational  efficiency  is  increased  without  adding  staff.  And  illycaffe  gets 
maximum  business  value  from  its  IT  investment  — which  keeps  the  espresso 
flowing  around  the  world  24/7.  Learn  how  CA  software  solutions  enable 
enterprises  like  illycaffe  to  realize  the  full  power  of  IT  at  ca.com/customers. 


ca 


Copyright  ©2007  CA.  All  rights  reserved. 


Transforming 
IT  Management 


